04-09-2020 11:30 AM
I'm working on a project to get information from the Palo Altos and use it for an input to a SIEM. I'm able to run the below and get XML output.
curl -k 'https://<PAN>/api/?type=op&cmd=<show><system><info></info></system></show>&key=<KEY>'
I would prefer getting this in json so I tried &output-format=json after the key and get XML. I did some research and see that /api appears to be XML output only. Is this the case? If so, is there an alternate to get the same output but in json?
TIA,
Joe
04-09-2020 03:00 PM
So your polling from a Panorama appliance then. Honestly this sounds far more like a process/people issue and not something I would solve like this, but whatever. The /api address will direct you to the XML API, so yes the output is XML.
There is a limited REST API available in 9.0 and above, but it's pretty limited in what it can do at the moment and can't do any sort of operational command.
You'll need to utilize the XML response at this time until the REST API gets to the point where it's fully functional or you fix your people/process problem.
04-09-2020 02:11 PM
Hello,
What information are you looking to get from the PANs to the SIEM?
Please advise,
04-09-2020 02:15 PM
The hostname, ip address, serial number, ha peer, and ha state. Both the PAN team and the team I am on are tired of asking them if there are any new devices that we need the SIEM to monitor the feed of. If I could get that from the API only a weekly basis I wouldn't have to ask them and manually update the csv file that the SIEM reads.
04-09-2020 02:17 PM
Hello,
So you are looking for new PAN's on the network? Sounds like something for a monitoring tool and not a SIEM?
Please advise,
04-09-2020 02:26 PM
The SIEM monitors all the events from the PANs for correlating with other security appliances. The issue as a member of the SIEM team is keeping up with the changes the PAN team makes. That is why I'm looking for a way of getting a list of all the PANs. I can get it with
curl -k 'https://<PAN>/api/?type=op&cmd=<show><devices><connected></connected></devices></show>&key=<KEY>'
Unfortunately the response is XML and the software I work with prefers JSON. So either I have to convert from XML to JSON or find out if there is an alternative method of getting the information that outputs as JSON.
04-09-2020 02:43 PM
Hello,
Are you running that against the panorama? There should be logs that are generated when a new device connects. From there you should be able to generate an alert from the SIEM if that new IP is not being monitored.
Hope I understood you correctly.
Regards,
04-09-2020 02:48 PM
Hi,
Correct. I'm running this against the Panorama. What do the logs look like? I still would like an answer to my original question to do a sanity check on what is currently there, but I can use the log for future PANs.
Regards
04-09-2020 02:50 PM
Hello,
That is something I do not know. However it should be a 'system' log so you might be able to run a SIEM query against that type of log, check its contents and write an alarm/alert around it.
Regards,
04-09-2020 03:00 PM
So your polling from a Panorama appliance then. Honestly this sounds far more like a process/people issue and not something I would solve like this, but whatever. The /api address will direct you to the XML API, so yes the output is XML.
There is a limited REST API available in 9.0 and above, but it's pretty limited in what it can do at the moment and can't do any sort of operational command.
You'll need to utilize the XML response at this time until the REST API gets to the point where it's fully functional or you fix your people/process problem.
04-09-2020 03:04 PM
@BPryThanks. It isn't what I wanted to hear, but it is what it is. For now I will need to convert from XML to JSON in an external script.
04-09-2020 04:58 PM
Assuming that you're using a Linux CLI for this: a combination of the xpath (or xmllint) and the logger commands might be an easy solution to achieve your goal.
Here's a good example:
curl --insecure 'https://10.1.1.1/api/?type=op&cmd=<show><session><info></info></session></show>&key=XXXXXXXXXXXXXXXXXXXXXXXX=' -s | xpath "//pps/text()" 2>/dev/null | xargs logger -t paloaltoapi -n 10.3.3.7 -P 514 Number of sessions from Palo Alto firewall:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
