How to Change the Password of Administrative Users via XML API
Symptom
Environment
- Palo Alto Networks Firewall
- PAN-OS 9.1, 10.0, 10.1
- XML-API
Resolution
- Generate the API key. (You must generate an API key in order to use the XML API. The API key authenticates the user to the firewall.)
- https://<IP-ADDRESS>/api/?type=keygen&user=<username>&password=<password>
- Example: Username: admin Password: !admin
https://10.129.80.153/api/?type=keygen&user=admin&password=!admin
- You would get the key response as shown below:
-
Navigate to > Configuration Commands > mgt-config > users > <Select the user> > phash
- Compile the exact API to be used. (Ex. Username: admin)
https://<ip.address>/api/?type=config&action=edit&key=<key generated in step 1>&xpath=/config/mgt-config/users/entry\[@name='<username>'\]/phash&element=<phash><phash generated in step 2></phash>
https://10.129.80.153/api/?type=config&action=edit&key=LUFRPT1HOXptYkpVSVo5aExZL21Zdjg2M1V1MTY3R1U9UlB6aFpWcHpzcEV3aklTSkdZS0lBQT09&xpath=/config/mgt-config/users/entry\[@name='admin'\]/phash&element=<phash>1$gchtbnbq$UD6si.oLOK52KsWkSk/RZ0</phash>
- Use curl or wget or Rest API Client to send this to the firewall
host$ curl -ik "https://10.129.80.153/api/?type=config&action=edit&key=LUFRPT1HOXptYkpVSVo5aExZL21Zdjg2M1V1MTY3R1U9UlB6aFpWcHpzcEV3aklTSkdZS0lBQT09&xpath=/config/mgt-config/users/entry\[@name='admin'\]/phash&element=<phash>1$gchtbnbq$UD6si.oLOK52KsWkSk/RZ0</phash>"
HTTP/1.1 200 OK
Date: Wed, 30 Mar 2016 11:55:34 GMT
Server: PanWeb Server/ -
ETag: "bef7-12b-56be95ee"
Content-Length: 76
Connection: keep-alive
Keep-Alive: timeout=360, max=1999
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: application/xml; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: PHPSESSID=5d96af62b31832e0dec0cf409a9380d2; path=/; secure; HttpOnly
<response status="success" code="20"><msg>command succeeded</msg></response>
- Commit the changes on Firewall as the phash pushed by the XML API would still be in the candidate config you would have to commit the changes.
Additional Information
One can also use "set" instead of "edit". When using set, the "/phash" needs to be removed.
curl -ik "https://10.129.80.153/api/?type=config&action=edit&key=LUFRPT1HOXptYkpVSVo5aExZL21Zdjg2M1V1MTY3R1U9UlB6aFpWcHpzcEV3aklTSkdZS0lBQT09&xpath=/config/mgt-config/users/entry\[@name='admin'\]/phash&element=<phash>1$gchtbnbq$UD6si.oLOK52KsWkSk/RZ0</phash>"
curl -ik "https://10.129.80.153/api/?type=config&action=set&key=LUFRPT1HOXptYkpVSVo5aExZL21Zdjg2M1V1MTY3R1U9UlB6aFpWcHpzcEV3aklTSkdZS0lBQT09&xpath=/config/mgt-config/users/entry\[@name='admin'\]&element=<phash>1$gchtbnbq$UD6si.oLOK52KsWkSk/RZ0</phash>"
Note: Curl is installed in the newer Windows 10 build 7063 and above.