Palo Alto Networks Knowledgebase: Getting Started with the API

Getting Started with the API

Created On 02/08/19 00:01 AM - Last Updated 02/08/19 00:01 AM


This document is for first-time API users to get started and try out the basics of the PAN-OS API.  This document leverages the pan-python SDK to get you started with some basic examples of API usage.


Step 1:  Get python

Windows:  Download Python 2.7.x or 3.x.x for Windows here:

When installing python on Windows, be sure to enable "Add python.exe to Path"


Mac OSX:  Python 2.7.x is already installed.  Go to step 2.


Linux:  Python is already installed (usually 2.7.x).  Go to step 2.


Step 2:  Get pan-python

Go to


Windows:  Download the Source Code (.zip)


Mac OSX and Linux:  Download pan-python-x.x.x.tar.gz


Uncompress the file.


Step 3:  Open a terminal

Windows:  Press WinKey+R.  In the Run dialog, type 'cmd' and press enter


Mac OSX:  Navigate to Applications -> Utilities -> Terminal


Linux:  Most distributions have a terminal program you can run.


Step 4:  Navigate to pan-python in terminal

In the terminal, use the 'cd' command to navigate to the "bin" directory in the new directory you uncompressed earlier.


For example:  cd c:\Users\<username>\Downloads\pan-python-x.x.x\bin


Step 5:  Generate an API key for a firewall

When connecting to the PAN-OS API, the connection must include an API key that the firewall uses to authenticate the connection as coming from a specific administrator.  In this example, we will generate the API key for the default admin user.


Run this command in a terminal to generate an API Key for the admin user.  In this example, the firewall's management IP is and the firewall credentials are username admin and password admin.


python -h -l admin:admin -k

keygen: success



Record the outputted API key.  It will be used in all subsequent API calls.


Step 6:  Make a few API calls

The API has many capabilities including the ability to pull statistical data, modify the configuration, and retrieve logs, reports, and pcaps.  Here are a few example API calls you can test on any firewall.  In each API call, you pass the script the API key, an action type, and a command or xpath that tells the firewall what to retrieve or do.


Example 1:  Get interface statistics


python -h -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -x -o "<show><counter><interface>ethernet1/1</interface></counter></show>"


Example 2:  Get the firewall's hostname


python -h -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/deviceconfig/system/hostname"


Example 3:  Get all address objects


python -h -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -s "/config/devices/entry/vsys/entry/address"


Example 4:  Create a new address object called 'testobject' with the IP


python -h -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr -S "<ip-netmask></ip-netmask>" "/config/devices/entry/vsys/entry/address/entry[@name='testobject']"


Example 5:  Commit


python -h -K "LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09" -xr --sync -C "<commit></commit>"


Step 7:  Learn more

You can learn more about the PAN-OS API at the following links.  Don't forget, you can always post to the API discussion area of the Live Community if you have questions.


See Also 

PAN-OS Documentation and XML-API Guide

pan-python SDK API script documentation

  • Print
  • Copy Link

Choose Language