Execute Operational Commands

Note

Examples using panxapi.py will not specify the -t option for brevity. When -t is not specified .panrc entries are matched using a null tagname:

hostname=10.30.11.101
api_key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09

The panxapi.py -o option performs the type=op API request to execute operational commands (CLI). The command is specified with the cmd argument, which is an XML representation of the command line. The -X option converts a CLI-style cmd argument to XML (in some cases the expected XML document cannot be derived).

Example: show system info

$ panxapi.py -Xjro 'show system info'
op: success
{
  "system": {
    "app-release-date": "2018/03/20 15:57:21 PDT",
    "app-version": "793-4594",
    "av-release-date": "2018/03/25 09:58:22 PDT",
    "av-version": "2560-3056",
    "cloud-mode": "non-cloud",
    "default-gateway": "192.168.1.254",
    "devicename": "PA-VM",
    "family": "vm",
    "global-protect-client-package-version": "0.0.0",
    "global-protect-clientless-vpn-release-date": null,
    "global-protect-clientless-vpn-version": "0",
    "global-protect-datafile-release-date": "unknown",
    "global-protect-datafile-version": "unknown",
    "hostname": "PA-VM",
    "ip-address": "192.168.1.103",
    "ipv6-address": "unknown",
    "ipv6-default-gateway": null,
    "ipv6-link-local-address": "fe80::20c:29ff:fe10:b6a/64",
    "is-dhcp": false,
    "logdb-version": "8.1.8",
    "mac-address": "00:0c:29:10:0b:6a",
    "model": "PA-VM",
    "multi-vsys": "off",
    "netmask": "255.255.255.0",
    "operational-mode": "normal",
    "platform-family": "vm",
    "public-ip-address": "unknown",
    "serial": "015351000006388",
    "sw-version": "8.1.0",
    "threat-release-date": "2018/03/20 15:57:21 PDT",
    "threat-version": "793-4594",
    "time": "Thu Apr  5 17:24:01 2018\n",
    "uptime": "29 days, 20:19:51",
    "url-db": "paloaltonetworks",
    "url-filtering-version": "20180405.40003",
    "vm-cpuid": "ESX:E3060500FFFBAB1F",
    "vm-license": "VM-50",
    "vm-mac-base": "E4:A7:49:0A:18:00",
    "vm-mac-count": "256",
    "vm-mode": "VMWare ESXi",
    "vm-uuid": "564DB8BD-3315-1119-5608-E36D8E100B6A",
    "vpn-disable-mode": "off",
    "wf-private-release-date": "unknown",
    "wf-private-version": "0",
    "wildfire-release-date": "2018/03/26 09:15:06 PDT",
    "wildfire-version": "229813-232248"
  }
}

Note

This example used -jr to select the result content of the response as JSON. Response output options include (from panxapi.py --help):

-x                    print XML response to stdout
-p                    print XML response in Python to stdout
-j                    print XML response in JSON to stdout
-r                    print result content when printing response

Note

Not all CLI commands are supported by type=op, including:

  • debug, ping, ftp, traceroute, netstat, scp, others

  • some show commands

    • show config

    • show log

Tip

debug cli on can be used to determine the XML representation of a CLI command:

admin@PA-VM> debug cli on
admin@PA-VM> show system info

<request cmd="op" cookie="7641443416872627" uid="500"><operations><show><system><info/></system></show></operations></request>

Lab 3

  1. Identify several CLI commands to execute using the API.

    Some suggestions include:

    • show ntp

    • show system info

    • show counter global

    • show session info

  2. Use the panxapi.py -o option to execute the commands, and review the output.

  3. Perform commands using -x, -j and -r.

Solution

$ panxapi.py -xo '<show><ntp/></show>'
op: success
<response status="success"><result>
  <synched>us.pool.ntp.org</synched>
  <ntp-server-1>
    <status>synched</status>
    <authentication-type>none</authentication-type>
    <reachable>yes</reachable>
    <name>us.pool.ntp.org</name>
  </ntp-server-1>
  <ntp-server-2>
    <status>available</status>
    <authentication-type>none</authentication-type>
    <reachable>yes</reachable>
    <name>north-america.pool.ntp.org</name>
  </ntp-server-2>
</result></response>

$ panxapi.py -Xro 'show ntp'
op: success
  <synched>us.pool.ntp.org</synched>
  <ntp-server-1>
    <status>synched</status>
    <authentication-type>none</authentication-type>
    <reachable>yes</reachable>
    <name>us.pool.ntp.org</name>
  </ntp-server-1>
  <ntp-server-2>
    <status>available</status>
    <authentication-type>none</authentication-type>
    <reachable>yes</reachable>
    <name>north-america.pool.ntp.org</name>
  </ntp-server-2>

$ panxapi.py -Xjro 'show ntp'
op: success
{
  "ntp-server-1": {
    "authentication-type": "none",
    "name": "us.pool.ntp.org",
    "reachable": true,
    "status": "synched"
  },
  "ntp-server-2": {
    "authentication-type": "none",
    "name": "north-america.pool.ntp.org",
    "reachable": true,
    "status": "available"
  },
  "synched": "us.pool.ntp.org"
}