Questions regarding API Key Management: Warnings, Configuration, Security, and Usage

Questions regarding API Key Management: Warnings, Configuration, Security, and Usage

15718
Created On 12/10/24 10:34 AM - Last Modified 01/25/25 03:55 AM


Question


  1. Is the warning "The latest API KeyGen was executed on Mon Jan 01 00:00:00 2024 with the deprecated algorithm" a bug and can we safely ignore it?
  2. If we need to configure API key certificates, should we do it on the Panorama for On-Prem Strata Firewalls or/and each Strata Firewall?
  3. Is there any security issue related to API keys with the depreciated algorithm?
  4. Does Panorama use API keys to communicate with firewalls?
  5. How to check if we are currently using an API?

Environment


  • PA-Series Next-Generation Firewall
  • PAN-OS 11.1

Answer


  1. This is a new feature introduced in PAN-OS 11.1.0. Legacy API key will be supported in 11.1, if the API key certificate is not configured. It will be deprecated in 12.0/12.1 and completely disabled in 13.0.
    You can ignore this warning for now, but it's recommended to configure the more secure API key infrastructure as soon as possible to avoid potential issues in future versions.

  2. You need to configure the API key certificate for all devices. For devices managed by Panorama, you can do this using the Device Template.

    Warning will persist on the firewalls even after you generate API key certificate for Panorama only:

    Panorama’s commit:
     

    Firewalls commit: 
     

  3. The existing API Key contains the username and password encrypted with the device master key.
    This is the potential risk of having the key mistreated and leak the user credential.

  4. By default, Panorama does not use API keys to communicate with the firewalls. It primarily uses the management connection. However, Panorama can use API keys if an API query is made from Panorama to a specific firewall.

  5. Below are some of the ways to check:
    • Check Administrator accounts settings. Dynamic roles such as Superuser and Panorama/Device admin have API access permissions. If you are using Role Based administrator type, you can inspect the Admin Roles for API access permissions. If you don't have any Admin account with API permissions, you are not using API.
    • Check the API metrics logs by executing the below commands on Panorama and Firewalls, if it returns an empty reply, it indicates that API is not used:
      less webserver-log restapi_metrics.log
      less webserver-log api_metrics.log
    • Execute the below commands to check for API keys usage:
      On Panorama, run the command "show api key expiration". If it returns an empty reply, this means no API keys are actively in use.
      On Firewalls, run the command "show api-key-expiration-ts". Similarly, if it returns an empty reply, it indicates that no API keys are actively in use.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TpOZCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language