Step 1: Get python
When installing python on Windows, be sure to enable "Add python.exe to Path"
- Mac OSX: Python 2.7.x is already installed. Go to step 2.
- Linux: Python is already installed (usually 2.7.x). Go to step 2.
Step 2: Get pan-python
Go to https://github.com/kevinsteves/pan-python/releases
- Windows: Download the Source Code (.zip)
- Mac OSX and Linux: Download pan-python-x.x.x.tar.gz and uncompress the file.
Step 3: Open a terminal
- Windows: Press WinKey+R. In the Run dialog, type 'cmd' and press enter
- Mac OSX: Navigate to Applications -> Utilities -> Terminal
- Linux: Most distributions have a terminal program you can run.
Step 4: Navigate to pan-python in terminal
In the terminal, use the 'cd' command to navigate to the "bin" directory in the new directory you uncompressed earlier.
For example: cd c:\Users\<username>\Downloads\pan-python-x.x.x\bin
Step 5: Generate an API key for a firewall
When connecting to the PAN-OS API, the connection must include an API key that the firewall uses to authenticate the connection as coming from a specific administrator. In this example, we will generate the API key for the default admin user.
Run this command in a terminal to generate an API Key for the admin user. In this example, the firewall's management IP is 10.1.1.5 and the firewall credentials are username admin and password admin.
python panxapi.py -h 10.1.1.5 -l admin:admin -k
keygen: success
API key: "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09"
Record the outputted API key. It will be used in all subsequent API calls.
Step 6: Make a few API calls
The API has many capabilities including the ability to pull statistical data, modify the configuration, and retrieve logs, reports, and pcaps. Here are a few example API calls you can test on any firewall. In each API call, you pass the script the API key, an action type, and a command or xpath that tells the firewall what to retrieve or do.
Example 1: Get interface statistics
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -x -o "<show><counter><interface>ethernet1/1</interface></counter></show>"
Example 2: Get the firewall's hostname
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/deviceconfig/system/hostname"
Example 3: Get all address objects
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/vsys/entry/address"
Example 4: Create a new address object called 'testobject' with the IP 5.5.5.5
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -S "<ip-netmask>5.5.5.5</ip-netmask>" "/config/devices/entry/vsys/entry/address/entry[@name='testobject']"
Example 5: Commit
python panxapi.py -h 10.1.1.5 -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr --sync -C "<commit></commit>"
Step 7: Learn more
- See the links in the Additional Information section.
- Post questions or engage in discussion in the API discussion area of the LIVEcommunity.