05-02-2018 03:24 AM
Hello all,
I'm tasked with initiating a graceful shutdown of mutiple PA3060 firewalls following UPS-detected mains power loss via a scripted process.
I can login to invididual firewalls using plink but I can't work out how to enter the shutdown command with the confirming 'y' keystroke.
Does anyone have experience of this, please?
We have Panorama in the environment, so alternatively, can this be achieved via ssh to the Panorama VM instance, which would then shutdown all managed firewall devices?
Many thanks,
Tim
05-02-2018 07:32 AM
The API is pretty easy to utilize, just generate your API key and you're ready to go.
As for the scripting side of things, you can actually do this perfectly fine in powershell and just include it in the same script.
You can configure something like this to get this to work properly
[Sysem.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
$wc = New-Object System.Net.WebClient.DownloadString
$wc("https://firewall/api/?type=ip&cmd=<request><shutdown><system></system></shutdown></request>&key=apikey")
Just a note on actually issueing the shutdown command however; are you sure that you actually want to do this? If the power is restored to the UPS before the battery runs out the firewall will actually need to be unplugged and plugged back in to power back on.
05-02-2018 06:08 AM
Not sure how you would do this with Plink, however it's easy enough to do with Netmiko. You could also issue this simply with the API with the following:
/api/?type=op&cmd=<request><shutdown><system></system></shutdown></request>
05-02-2018 07:07 AM - edited 05-02-2018 07:14 AM
Thank you. I'd looked at the API but wasn't sure (this is not my area of any kind of expertise) how to use it.
e.g. so how would I invoke those commands post login?
The entire shutdown for the DC is being driven through PowerShell and PowerCLI, so the commands to login, authenticate and initiate shutdown have to be scripted for no manual intervention.
Tim
05-02-2018 07:31 AM - edited 05-02-2018 07:33 AM
With powershell, use invoke-restmethod, using the url
https://<FIREWALL_IP>/api/?type=op&key=<API_KEY>cmd=<request><shutdown><system></system></shutdown></request>
to obtain your API key, refer to this document:
I recommend using a service account for this obviously, and storing the api key as if it were a password
edit: I believe invoke-restmethod is only available in PS 3.0 and later, so windows 7 and server 2012 wil not have it unless powershell was upgraded.
05-02-2018 07:32 AM
The API is pretty easy to utilize, just generate your API key and you're ready to go.
As for the scripting side of things, you can actually do this perfectly fine in powershell and just include it in the same script.
You can configure something like this to get this to work properly
[Sysem.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
$wc = New-Object System.Net.WebClient.DownloadString
$wc("https://firewall/api/?type=ip&cmd=<request><shutdown><system></system></shutdown></request>&key=apikey")
Just a note on actually issueing the shutdown command however; are you sure that you actually want to do this? If the power is restored to the UPS before the battery runs out the firewall will actually need to be unplugged and plugged back in to power back on.
05-03-2018 12:44 AM - edited 05-03-2018 12:44 AM
Thanks again.
@BPry Yes, I'm absolutely sure I want to do this. There's no issue with the manual/disconnect reconnect action post shutdown. That's been taken into consideration as part of the overall design.
05-03-2018 06:24 AM
Just wanted to make sure you knew that bit. I've had some people get mad because they didn't realize that shutdown and restart didn't function the same. 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
