Remote shutdown via CLI or through Panorama

cancel
Showing results for 
Search instead for 
Did you mean: 

Remote shutdown via CLI or through Panorama

L1 Bithead

Hello all,

I'm tasked with initiating a graceful shutdown of mutiple PA3060 firewalls following UPS-detected mains power loss via a scripted process.

 

I can login to invididual firewalls using plink but I can't work out how to enter the shutdown command with the confirming 'y' keystroke.

Does anyone have experience of this, please?

We have Panorama in the environment, so alternatively, can this be achieved via ssh to the Panorama VM instance, which would then shutdown all managed firewall devices?

Many thanks,

Tim

1 ACCEPTED SOLUTION

Accepted Solutions

The API is pretty easy to utilize, just generate your API key and you're ready to go. 

As for the scripting side of things, you can actually do this perfectly fine in powershell and just include it in the same script. 

You can configure something like this to get this to work properly

 

[Sysem.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

$wc = New-Object System.Net.WebClient.DownloadString

$wc("https://firewall/api/?type=ip&cmd=<request><shutdown><system></system></shutdown></request>&key=apikey")

 

 

Just a note on actually issueing the shutdown command however; are you sure that you actually want to do this? If the power is restored to the UPS before the battery runs out the firewall will actually need to be unplugged and plugged back in to power back on. 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@timbiller,

Not sure how you would do this with Plink, however it's easy enough to do with Netmiko. You could also issue this simply with the API with the following: 

/api/?type=op&cmd=<request><shutdown><system></system></shutdown></request>

@BPry,

 

Thank you.  I'd looked at the API but wasn't sure (this is not my area of any kind of expertise) how to use it.

e.g. so how would I invoke those commands post login? 

The entire shutdown for the DC is being driven through PowerShell and PowerCLI, so the commands to login, authenticate and initiate shutdown have to be scripted for no manual intervention.

Tim

With powershell, use invoke-restmethod, using the url

 

https://<FIREWALL_IP>/api/?type=op&key=<API_KEY>cmd=<request><shutdown><system></system></shutdown></request>

 

to obtain your API key, refer to this document:

https://www.paloaltonetworks.com/documentation/71/pan-os/xml-api/get-started-with-the-pan-os-xml-api...

 

I recommend using a service account for this obviously, and storing the api key as if it were a password

 

 

edit: I believe invoke-restmethod is only available in PS 3.0 and later, so windows 7 and server 2012 wil not have it unless powershell was upgraded.

 

The API is pretty easy to utilize, just generate your API key and you're ready to go. 

As for the scripting side of things, you can actually do this perfectly fine in powershell and just include it in the same script. 

You can configure something like this to get this to work properly

 

[Sysem.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

$wc = New-Object System.Net.WebClient.DownloadString

$wc("https://firewall/api/?type=ip&cmd=<request><shutdown><system></system></shutdown></request>&key=apikey")

 

 

Just a note on actually issueing the shutdown command however; are you sure that you actually want to do this? If the power is restored to the UPS before the battery runs out the firewall will actually need to be unplugged and plugged back in to power back on. 

Thanks again.

@BPry Yes, I'm absolutely sure I want to do this. There's no issue with the manual/disconnect reconnect action post shutdown. That's been taken into consideration as part of the overall design.

@timbiller,

Just wanted to make sure you knew that bit. I've had some people get mad because they didn't realize that shutdown and restart didn't function the same. 😉

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!