Palo Alto Standalone Firewalls

This guide is for getting the configuration(s) from standalone Palo Alto Firewalls.

Using HTTP(S)

We would recommend using HTTPS rather than HTTP for transferring your devices configuration as the latter provides no encryption. The procedure for getting the configuration from the device using HTTP(S) is as follows:

  1. Using your favorite web browser, connect to the HTTP(S) service provided by your Palo Alto device for remote management. You can do this by entering "https://" (recommended) or "http://" followed by your devices IP address.

  2. Logon using your administration username and password.

  1. Click the Device tab and then on the side bar click the setup button. On the setup screen then click the Operations tab.

  1. Click Export named configuration snapshot and then choose the configuration that you would like to export.

  1. Finally click OK to save your device configuration.

Note: Unfortunately, the full version (patch number - 8.0.5) is not available in Palo Alto configuration files. To workaround this, when adding a Palo Alto device, click the Edit pencil and manually set the OS version to the correct version. This version number can be found under Software Version in your Palo Alto General Information window. To avoid this process, please see the following section on PAN-OS API.

 

PAN-OS API

PAN-OS API uses API GET requests to obtain the configuration and accurate version number from your Palo Alto PAN-OS device. PAN-OS API is available on PAN-OS version 8.0 and newer (including 9 and 10).

The following types of Administrators and Admin roles are supported:

  • Dynamic roles: Superuser, Superuser (readonly), Device admin, Device admin (readonly), Vsys admin, Vsys admin (readonly)
  • Role-based Admins: Device, Vsys, Panorama.

To use the PAN-OS API, you must first allow API access to the Admin role accessing the device. This is done as follows:

  1. Go to Device > Admin Roles and select or create an admin role. As a best practice, set up a separate Admin role and account for API access.

  2. Select the XML API tab.Palo Alto API Create Role

  3. Enable the required API features from the list. Nipper only requires the Configuration feature enabled in order to audit your device.

  1. Select OK to confirm your changes.

  2. Go to Device > Administrators, and assign the role profile to an administrator account. Note that the Administrator Type must be set to Role Based to set the Profile.

 

Palo Alto API Assign Role

 

Although Nipper generates a new secure API key for each config retrieval and does not store the key, as a best practice you should specify an API key lifetime to enforce regular key rotation - protecting against compromise and reducing the effects of accidental exposure. This is done as follows:

  1. Go to Device > Setup > Management and edit Authentication Settings.

Palo Alto API Key Lifetime

 

  1. Set the field API Key Lifetime (min) to a suitable value (between 1-525600 minutes).

  2. Refer to the audit and compliance policies for your enterprise to determine how you should specify the lifetime for which your API keys are valid.

  3. Commit the changes.

Nipper can now use the PAN-OS API connection method to retrieve your configuration, with accurate version number by selecting the version 8+ (PAN-OS API) from the Version: dropdown when adding a remote Palo Alto Firewall network device.

 

 

Palo Alto API

 

Note: To use the Pan-OS API Connection method through Nipper's audit scheduling via HTTPS, you will need to have a correctly installed certificate on the firewall that is trusted from the machine you are performing the connection from. For more information on this you can follow this guide from Palo Alto.