How to Change the Password of Administrative Users via XML API

How to Change the Password of Administrative Users via XML API

40194
Created On 09/25/18 20:40 PM - Last Modified 06/15/23 21:41 PM


Symptom


To change Password using Using the XML API for administrative user.

Environment


  • Palo Alto Networks Firewall
  • PAN-OS 9.1, 10.0, 10.1
  • XML-API

Resolution


  1. Generate the API key. (You must generate an API key in order to use the XML API. The API key authenticates the user to the firewall.)
    1. https://<IP-ADDRESS>/api/?type=keygen&user=<username>&password=<password>
    2. Example: Username: admin  Password!admin

https://10.129.80.153/api/?type=keygen&user=admin&password=!admin

  1. You would get the key response as shown below:
<response status="success">
<result>
<key>
LUFRPT1JRUtoV0Y3ZUZXODBOL2ZwWkdKOG1YNjl0Mk09UkIrT0FvKy9WQS93T2VCMFl5anFQZz09 <<<<API KEY
</key>
</result>
</response>
  1. Generate the phash
    1. From the CLI generate the phash for any string uing the command request password-hash password (Example Password: admin)
> request password-hash password admin
$1$ljdmkhxr$N2RLuOfyAuyP56aGTNcNF0
  1. Create the XML API stringTo do this, you need to know the xpath or xml path. To find the xml path you can use a Web GUI of the firewall.

  2. A. Login to your Web GUI and then navigate to the URL  https://<Firewall MGT IP>/api  You will see the page below. 

XML API

  1. Navigate to > Configuration Commands > mgt-config > users > <Select the user> > phash

XML API Path

  1. Compile the exact API to be used. (Ex. Username: admin)
API URL Format
 https://<ip.address>/api/?type=config&action=edit&key=<key generated in step 1>&xpath=/config/mgt-config/users/entry\[@name='<username>'\]/phash&element=<phash><phash generated in step 2></phash>
Example using Username: admin
https://10.129.80.153/api/?type=config&action=edit&key=LUFRPT1HOXptYkpVSVo5aExZL21Zdjg2M1V1MTY3R1U9UlB6aFpWcHpzcEV3aklTSkdZS0lBQT09&xpath=/config/mgt-config/users/entry\[@name='admin'\]/phash&element=<phash>1$gchtbnbq$UD6si.oLOK52KsWkSk/RZ0</phash>
  1. Use curl or wget or Rest API Client to send this to the firewall
host$ curl -ik "https://10.129.80.153/api/?type=config&action=edit&key=LUFRPT1HOXptYkpVSVo5aExZL21Zdjg2M1V1MTY3R1U9UlB6aFpWcHpzcEV3aklTSkdZS0lBQT09&xpath=/config/mgt-config/users/entry\[@name='admin'\]/phash&element=<phash>1$gchtbnbq$UD6si.oLOK52KsWkSk/RZ0</phash>"

HTTP/1.1 200 OK
Date: Wed, 30 Mar 2016 11:55:34 GMT
Server: PanWeb Server/ -
ETag: "bef7-12b-56be95ee"
Content-Length: 76
Connection: keep-alive
Keep-Alive: timeout=360, max=1999
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: application/xml; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: PHPSESSID=5d96af62b31832e0dec0cf409a9380d2; path=/; secure; HttpOnly

<response status="success" code="20"><msg>command succeeded</msg></response>
  1. Commit the changes on Firewall as the phash pushed by the XML API would still be in the candidate config you would have to commit the changes.

Additional Information


One can also use "set" instead of "edit". When using set, the "/phash" needs to be removed.
 

curl -ik "https://10.129.80.153/api/?type=config&action=edit&key=LUFRPT1HOXptYkpVSVo5aExZL21Zdjg2M1V1MTY3R1U9UlB6aFpWcHpzcEV3aklTSkdZS0lBQT09&xpath=/config/mgt-config/users/entry\[@name='admin'\]/phash&element=<phash>1$gchtbnbq$UD6si.oLOK52KsWkSk/RZ0</phash>"

curl -ik "https://10.129.80.153/api/?type=config&action=set&key=LUFRPT1HOXptYkpVSVo5aExZL21Zdjg2M1V1MTY3R1U9UlB6aFpWcHpzcEV3aklTSkdZS0lBQT09&xpath=/config/mgt-config/users/entry\[@name='admin'\]&element=<phash>1$gchtbnbq$UD6si.oLOK52KsWkSk/RZ0</phash>"

Note: Curl is installed in the newer Windows 10 build 7063 and above.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkTCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language