Introduction to the PAN-OS API

About the API


API’s are very important to Palo Alto Networks. Security automation is key to the success of any organization in preventing cyber attacks. So Palo Alto Networks products have comprehensive APIs to enable automation.

In this lab we’ll focus on the PAN-OS API, which is the API for the Palo Alto Networks Next-generation Firewall and Panorama Management Center.

When connecting to the PAN-OS API:

  • Access the API on the management interface using HTTPS, just as you would connect to the GUI.
  • Connections to the API are treated as general web admin access. They create a session just like you were accessing the GUI.
  • Authentication requires an API key which is generated through an API call.

Some examples of how you might use the PAN-OS API include, but are not limited to:

  • Read, write, verify, and commit configuration
  • Download reports in XML format
  • Execute operational commands to check health and status
  • Collect logs and pcaps
  • Update dynamic address groups
  • Update user-id mappings
  • And much more!

The API Browser

The Next-generation Firewall and Panorama have an API Browser built in which allows you to explore the API and trigger simple API calls in the browser itself.

You can access the API Browser by adding /api to the URL after the IP address of the firewall. For example, if your firewall is at, the URL of the API Browser is


Lab exercise: Try connecting to the API Browser on the firewall in your lab. Explore a little to get familiar, then continue with the lab.

API Command Types

There are several API types as shown in the main page of the API browser.

API Types

API Type Description
keygen Generate an API Key (not shown in API Browser)
config Retrieve or modify the configuration
commit Commit the configuration
export Export files, packet captures, and keys
import Import files, certificates, response pages, and branding
op Operational commands (like ‘show’ commands)
report Retrieve predefined, dynamic, and custom reports
user-id User/IP mappings and Dynamic Address Groups

This lab focuses on the following 5 types, but the concepts needed to understand these 5 types are the same concepts for all the other types.

  • keygen
  • config
  • commit
  • op
  • user-id

Continue to Introducing pan-python in Module 1 to begin the first lab.