Requests made to the PAN-OS® XML API will require authentication, in the form of an API key. The following steps will walk you through the process of generating a key and storing it for future use.
The panxapi.py -k option performs the
type=keygen API request
to generate the API key for an administrator account. The -h and
-l (ell) options specify the hostname or IP address of the firewall
and username and password arguments for the API request.
For brevity, the labs use the superuser administrator account
creating API administrator accounts using a custom admin role with the
least privilege set of XML API types required for your usage, is
file contains hostname and API key variables optionally referenced by a
tagname using the panxapi.py -t option. The
.panrc file is a convenient way to store
API keys for all your firewalls in a file, then reference those keys by
tag when executing API calls. You'll create a .panrc file in
Lab 2 at
the bottom of this page and use it for all following API calls.
When -t is combined with -h, -l and -k, panxapi.py
.panrc format lines with the
.panrc without tagname#
Use a null string for the tagname to create tagless variables; these are matched when -t is not specified.
.panrc with tagname#
When the password is not specified on the command line the user is prompted for it. This is useful to avoid leaving the password in the shell history.
.panrc file using shell output redirection#
Shell output redirection can be used to create your
Set least privilege permissions:
.panrc file contains authentication material; it should have
strict file permissions (read/write for the owner, and not accessible by
group or other).
.panrc file entries with your tagname are verified by performing
an operational command API request with -o cmd.