This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How can we limit the Panorama XML API access ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How can we limit the Panorama XML API access ?

ManojManoj
L1 Bithead

‎09-05-2023 07:46 PM

How can we limit the Panorama XML API access ?

How can we limit the Panorama XML API access ? We are using this XML API for Terraform and ansible automation. We want to give only access to few device group and we don't want to give access to all device group. please advice how can we achieve this. We checked in Admin roles in Panorama and we don't see much options to restrict to specific device group


Our request is - how can we restrict the API access to only certain device group.
Wiki pages in the palo website doesn't have any information about how can we limit only to certain device group.

I'm elaborating more with example here.

device group - INETFW1
device group - INETFW1
device group - SNETFW1
device group - SNETFW2

we want to give only API XML access to INETFW1 and SNETFW1 device group ? how can we achieve this?

what we need to have is a custom privilege to be restricted on to specific device group in Panorama XML API access.
Please let us know how can we limit the panorama XML API access to specific device group?

4 REPLIES 4

PavelK
Cyber Elite
Cyber Elite

‎09-05-2023 08:40 PM

Hello @ManojManoj

 

thanks for posting.

 

This should be possible with Access Domains combined with Admin Roles. Here is documentation for reference: Access Domains.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

ManojManoj
L1 Bithead
In response to PavelK

‎09-07-2023 08:46 PM

Hi @Pavel,

Please don't blindly answer without understanding the question mentioned here.
Our requirement is to restrict the access via API and not via web gui or other ways.
Did you check it in your lab system Panorama for restricting XML API access before you comment about this?
Did you have previous experience dealing this XML API access restriction in Panorama?

thanks

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎09-07-2023 09:17 PM

Hello @ManojManoj

 

thank you for reply.

 

I read your post carefully before replying to you. I have been using access domain in the past only for GUI access. By reading your post the access domain came to my mind as possible solution. I checked the API documentation and this parameter is passed in the API call therefore I deemed this as possible:

 

PavelK_0-1694146484518.png

 

The answer to your second question, no, I have not verified it in the lab.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

jeremyafaulkner
L1 Bithead

‎04-03-2024 11:01 AM

Hello, did you find a solution to this? I'm trying to do the same thing to limit an admin account's XML API access to specific device groups. Unfortunately, it looks like using an Access Domain with "Device Group and Template" doesn't provide access to XML API. From what I see, it only provides access to Web GUI and REST API. Did you find a workaround for this? Thanks!

0 Likes Likes
  • 938 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks