PaloAlto_API_Insight.md

PaloAlto API: Insight

Existing tools

Migration tool

Expedition is the 4th version of migration tool and can apparently delete all unused objects. It is worth trying to use this tool if a cli is available.

Libraries

• pan-os-python: Developped by PaloAltoNetworks. The library is maintained but it is really not practical to use. It is subdocumented and strange to use.

  from panos.panorama import Panorama
  from panos.objects import AddressObject
  
  pano = Panorama(hn, un, pw)
  
  # You need to give the direct parent
  # and explicitly retrieve the data manually
  AddressObject.refreshall(pano)
  
  # Before being able to use it
  addr = pano.findall(AddressObject)

  • How to get all shared address object

  • Documentation - HowTo

  • Code Sample: Ensure security rule

• pan-python: wrapper for the XML API. (The documentation seems to be hosted by PaloAltoNetworks)

Client

• pan-configurator ?

• panxapi python client for the xml api. It does not do much more.

Existing APIs

• REST API: We access the resources directly.

• XML API: We traverse an xml configuration containing all informations using xpath. This seems to be the most powerful API

  • Explore the API: We can explore the API, e.g. through the browser

  • Configuration (API)

  • Use XPath to Get Active Configuration

  We can for example find the entry referencing an object as a member

  /config/devices/entry/device-group//member[text() = 'RAR_ZRH-SNAT_Subnet']//ancestor::entry[position() = 1]

  Nb: this is usefull to find the dependencies, but it is not easy to delete this entry

Other informations

• security policy filtering: it is apparently possible to filter the policies according to their members

• XML API walkthrough

• Embedded REST API documentation