Monday, 18 July 2016

Python for Network Engineers - Part 7 - Using Palo Alto Networks XML API

In this blog article we’re going to look at using the Python requests module to interface with the Palo Alto Networks (PAN-OS) XML API.

Blog Series

Python for Network Engineers - Part 1 - Introduction
Python for Network Engineers - Part 2 - Making REST calls
Python for Network Engineers - Part 3 - Using Cisco Nexus NX-API
Python for Network Engineers - Part 4 - Using Arista EOS eAPI
Python for Network Engineers - Part 5 - Using Junos NETCONF interface
Python for Network Engineers - Part 6 - Using Cisco Nexus NETCONF interface
Python for Network Engineers - Part 7 - Using Palo Alto Networks XML API


In previous blog posts we gave an introduction to using the requests module to interact with REST APIs and also looked at the ncclient module for NETCONF interfaces.

In this blog post we’ll use the requests module again to interact with the Palo Alto XML API.  It’s a little harder to get started with than examples in previous blog posts.  But once you’ve worked through a few examples it’s fairly straight forward.

It’s also a little unusual as we are just using HTTP GET requests and passing XML data in the query section of the URI string.  So in this case it’s not a true REST API, but as we're using requests module again then much of the knowledge picked up in part 2, 3 and 4 will be helpful here too..

Palo Alto XML API

For this example I’m using a VM-Series Palo Alto firewall with PAN-OS 6.1.0 and Ubuntu 16.04 linux.

PAN Setup
On the Palo Alto firewall then there is no setup required to enable the XML API.  We just need to have web browser access to the firewall.

However before we start trying to query or configure the firewall we will need to generate an authentication key.  We can do this from Python using the requests module.

Key Generation
First open an interactive Python session and we will setup all the basic settings and create a session object “s” to the firewall.
import requests, json, xmltodict
from requests.packages.urllib3.exceptions import InsecureRequestWarning
uri = ''
s = requests.session()
s.verify = False

The second and third lines will just disable some SSL warnings which will make the output harder to read.  Next we will send a request to the firewall for a key to be created for the below user “admin”.
uname = upass = "admin"
params = {}
params['type'] = 'keygen'
params['user'] = uname
params['password'] = upass
r = s.request('get', uri, params=params)

We can then take a look at the key that was sent back and can also set it into a string called “key” which we will use in the further examples below
print r.text
d = xmltodict.parse(r.text)
key = d['response']['result']['key']
print key

Example 1
In this example we’ll just do a few basic show commands.  This assumes that you’ve already created your session object “s” and you have set a string called “key” with the correct authentication key.
params = {'type': 'config', 'action': 'show', 'key': key}
params['xpath'] = '/config/mgt-config'
r = s.get(uri, params=params)
print r.text

One thing to note is that I've switched to using "s.get()" syntax.  Above and in previous blogs posts I've used "s.request("get") as it's easy to switch to using "post" or "put".  However as we'll only be using "get" with PAN then we'll use the shorter command.

This next query will list all the address objects on the firewall
params['xpath'] = '/config/devices/entry/vsys/entry/address'
r = s.get(uri, params=params)
print r.text

This next query will list the security and NAT rulebases on the firewall
params['xpath'] = '/config/devices/entry/vsys/entry/rulebase'
r = s.get(uri, params=params)
print r.text

Example 2
In this next example we’ll show a fairly simple configuration item so we can demonstrate the commit process.  Again we assume that you’ve already created your session object “s” and you have set a string called “key” with the correct authentication key.

Now we will create an address object :
params = {}
params['type'] = 'config'
params['action'] = 'set'
params['key'] = key
params['xpath'] = "/config/devices/entry/vsys/entry/address/entry[@name='HST_10.1.1.1']"
params['element'] = '<ip-netmask></ip-netmask>'
params['element'] += '<description>Test Internal Host IP - added by python</description>'
r = s.get(uri, params=params)
print r.text

And then commit the configuration:
params = {}
params['type'] = 'commit'
params['cmd'] = '<commit></commit>'
params['key'] = key
r = s.get(uri, params=params)

However if we now check the output from the reply object, it only tells us a job id and not if it completed OK.
print r.text

So to check the job completed we can run the following (example is where job id id 99):
jobid = 99
params = {}
params['type'] = 'op'
params['cmd'] = '<show><jobs><id>%s</id></jobs></show>' % jobid
params['key'] = key
r = s.get(uri, params=params)
print r.text


I’ve only show a couple of examples here as we basically need to build the XML for each type of request and understand the xpath for each task that you want to do.  Also if you’re using VSYS or if you’re using “shared” objects then the xpath will change for certain tasks.  Where I’ve used a virtual Palo Alto in this blog, it’s made the xpath format a certain way as there’s no VSYS and no shared objects.

To use this in production then I have developed a module that does all the heavy lifting such as doing commits, checking the job id result, storing all the outputs in class parameters, logging and reporting back with a Boolean True/False for each command run.  This makes it very easy to script changes on top of that and debug when things aren’t working.

Also please refer to the documentation below to build on top the examples shown in this blog.



  1. I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in Palo Alto
    , kindly contact us
    MaxMunus Offer World Class Virtual Instructor led training on in Palo Alto We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
    For Demo Contact us:
    Name : Arunkumar U
    Email :
    Skype id: training_maxmunus
    Contact No.-+91-9738507310
    Company Website –

  2. Somebody necessarily help to make severely posts I might state. This is the first time I frequented your website page and to this point? I surprised with the research you made to create this particular post extraordinary. Well done admin..
    Python Training in Chennai

    1. thanks for the comment. Due to the nature of xpath it is hard to do lots of examples, as it depends on your vsys setup. For F5 and Palo Alto you could write a whole book of examples. Hopefully this is enough to get you going !!

  3. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do it! Your writing style has been surprised me. Great work admin.Keep update more blog.
    Python Training in Chennai

  4. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
    Android Training in Chennai
    Ios Training in Chennai

  5. This is a very informative blog. Thoroughly enjoyed it. python training in Chennai

  6. This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.. 

    rpa online training |
    rpa course in bangalore |
    rpa training in bangalore |
    rpa training institute in bangalore

  7. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
    Best Devops training in sholinganallur
    Devops training in velachery
    Devops training in annanagar
    Devops training in tambaram

  8. Thank you for an additional great post. Exactly where else could anybody get that kind of facts in this kind of a ideal way of writing? I have a presentation next week, and I’m around the appear for this kind of data.
    python training in rajajinagar | Python training in bangalore | Python training in usa

  9. Really great post, I simply unearthed your site and needed to say that I have truly appreciated perusing your blog entries. I want to say thanks for great sharing.

    angularjs Training in bangalore

    angularjs Training in bangalore

    angularjs online Training

    angularjs Training in marathahalli

    angularjs interview questions and answers

  10. Howdy, would you mind letting me know which web host you’re utilizing? I’ve loaded your blog in 3 completely different web browsers, and I must say this blog loads a lot quicker than most. Can you suggest a good internet hosting provider at a reasonable price?

    Best AWS Training Institute in BTM Layout Bangalore ,AWS Coursesin BTM

    Best AWS Training in Marathahalli | AWS Training in Marathahalli

    Amazon Web Services Training in Jaya Nagar | Best AWS Training in Jaya Nagar

    AWS Training in BTM Layout |Best AWS Training in BTM Layout