09-25-2020 11:47 AM
I would like to export the configuration from my cloud managed Prisma Access instance -- preferably in JSON format. Is this possible? If not, I would like to make it a feature request.
Thanks
-tom
12-27-2022 03:44 AM
Does anybody know if this ever happened? I am needing to do the same thing and cannot find any reference to the method to do it.
09-02-2023 12:51 AM
There has been several upgrades to Prisma Cloud since this thread was created, unfortunately we do not use it anymore in our organisation so I am out of the loop with the development of this feature.
If you are still struggling I would speak to your SE/RE and see if they can help, at the very least if you are moving from a POC to production they should be able to complete this for you.
07-15-2025 07:44 AM
It took me a long time to get the clue, how to do an export of our Prisma Access, Service Connection and Global Protect configuration into JSON Backup files. If someone need to do this as well, here my PowerShell Script I have created as a base. You need to adjust the relevant areas (API URLs) depending of your Prisma Access configurations.
# SCM API credentials (replace placeholders with actual values)
$clientId = "YOUR CLIENT ID" # Replace with CLIENT ID
$clientSecret = "YOUR CLIENT SECRET" # Replace with CLIENT SECRET
$tsgId = "YOUR TSG ID" # Replace with Tenant Services Group ID
$tokenEndpoint = "https://auth.apps.paloaltonetworks.com/auth/v1/oauth2/access_token"
# General Script variables
$outputDirectory = "C:\Temp\PAN-SCM-Output\$(Get-Date -Format 'ddMMyyyy')" # Define the output directory
# Create output directory if it doesn't exist
If (-not (Test-Path $outputDirectory)) {
New-Item -ItemType Directory -Path $outputDirectory | Out-Null
Write-Host "Output directory created: $outputDirectory"
}
# Construct the request body for token
$body = @{
grant_type = "client_credentials"
scope = "tsg_id:$tsgId"
}
# Construct the authentication header for token
$encodedCredentials = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("${clientId}:${clientSecret}"))
$authHeader = @{
"Authorization" = "Basic $encodedCredentials"
"Content-Type" = "application/x-www-form-urlencoded"
}
# Make the API call to get access token
try {
$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Headers $authHeader -Body $body -ContentType "application/x-www-form-urlencoded"
$accessToken = $response.access_token
Write-Host "Bearer Token generated successfully."
} catch {
Write-Error "Error getting access token: $($_.Exception.Message)"
Exit 1 # Exit script if token cannot be obtained
}
# API URLs from https://pan.dev/access/api/prisma-access-config/
# Define the list of API URLs
# Add or remove API URLs depend on your Prisma Access environment
$apiUrls = @(
"https://api.sase.paloaltonetworks.com/sse/config/v1/address-groups?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/addresses?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/anti-spyware-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/application-filters?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/application-groups?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/app-override-rules?position=pre&folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/authentication-profiles?folder=Mobile%20Users",
"https://api.sase.paloaltonetworks.com/sse/config/v1/certificate-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/certificates?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/certificates?folder=Mobile%20Users",
"https://api.sase.paloaltonetworks.com/sse/config/v1/config-versions",
"https://api.sase.paloaltonetworks.com/sse/config/v1/dns-security-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-exclusions?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/decryption-rules?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/external-dynamic-lists?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/file-blocking-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/hip-objects?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/hip-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/http-header-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/ike-crypto-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/ipsec-crypto-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/shared-infrastructure-settings",
"https://api.sase.paloaltonetworks.com/sse/config/v1/internal-dns-servers?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/agent-profiles?folder=Mobile%20Users",
"https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/agent-versions",
"https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/authentication-settings?folder=Mobile%20Users",
"https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/global-settings",
"https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/infrastructure-settings?folder=Mobile%20Users",
"https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/locations?folder=Mobile%20Users",
"https://api.sase.paloaltonetworks.com/sse/config/v1/mobile-agent/tunnel-profiles?folder=Mobile%20Users",
"https://api.sase.paloaltonetworks.com/sse/config/v1/profile-groups?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/security-rules?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/service-connections?folder=Service%20Connections",
"https://api.sase.paloaltonetworks.com/sse/config/v1/bgp-routing?position=pre&folder=Service%20Connections",
"https://api.sase.paloaltonetworks.com/sse/config/v1/services?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/tags?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/trusted-certificate-authorities?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/url-access-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/url-categories?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/vulnerability-protection-profiles?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/vulnerability-protection-signatures?folder=Shared",
"https://api.sase.paloaltonetworks.com/sse/config/v1/wildfire-anti-virus-profiles?folder=Shared"
)
# Headers for subsequent API calls
$Headers = @{
"Authorization" = "Bearer $AccessToken"
"Accept" = "application/json"
}
# Loop through each API URL
foreach ($apiUrl in $apiUrls) {
try {
Write-Host "Fetching data from: $apiUrl"
# Make the API call to retrieve data
$apiData = Invoke-RestMethod -Uri $apiUrl -Method Get -Headers $Headers
# Extract a meaningful name for the file from the URL
$uri = New-Object System.Uri($apiUrl)
$pathSegments = $uri.Segments | Where-Object { $_ -ne "/" }
$fileNameBase = ($pathSegments[-1] -replace '\?.*$', '').Trim('/') # Get the last segment and remove query string
# Determine prefix based on folder parameter
$prefix = ""
if ($apiUrl -like "*folder=Shared*") {
$prefix = "PrismaAccess_"
} elseif ($apiUrl -like "*folder=Mobile%20Users*") {
$prefix = "GlobalProtect_"
} elseif ($apiUrl -like "*folder=Service%20Connections*") {
$prefix = "ServiceConnection_"
} elseif ($apiUrl -like "*/config-versions*") {
$prefix = "PrismaAccess_"
} elseif ($apiUrl -like "*/mobile-agent/agent-versions*") {
$prefix = "GlobalProtect_"
} elseif ($apiUrl -like "*/mobile-agent/global-settings*") {
$prefix = "GlobalProtect_"
} elseif ($apiUrl -like "*/shared-infrastructure-settings*") {
$prefix = "PrismaAccess_"
}
# Handle special cases or generic fallbacks if needed
if ([string]::IsNullOrEmpty($fileNameBase)) {
$fileNameBase = "data" # Fallback if no specific name can be extracted
}
# Construct the output file path with prefix
$outputFileName = "PAN_SCM_${prefix}${fileNameBase}_$(Get-Date -Format 'ddMMyyyy').json"
$outputFilePath = Join-Path -Path $outputDirectory -ChildPath $outputFileName
# Convert data to JSON and save to file
$apiData | ConvertTo-Json -Depth 10 | Out-File $outputFilePath -Encoding UTF8
Write-Host "Data from '$apiUrl' successfully saved to: $outputFilePath" -ForegroundColor Green
} catch {
Write-Host "Error retrieving data from '$apiUrl': $($_.Exception.Message)" -BackgroundColor Red
if ($_.Exception.Response) {
Write-Host "Status Code: $($_.Exception.Response.StatusCode)" -BackgroundColor Red
}
}
}
Write-Host "Script execution completed."
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
