Palo Alto version 9 and above has a nice REST-API. For those still on 8, only the older XML-API is available. Here’s a quick rundown on how to use it.
Setup accounts and roles. By default, users with an API key will have full access to the XML API. Here’s a specifically restrictive role:
Once roles are configured, each user or account should obtain a separate API key. This can be done with a simple curl request:
curl -k -X GET \ 'https://myfirewall.mydomain.com/api/?type=keygen&user=myusername&password=XXXYYYZZZ1234'
Look for the API key in the XML output between they <key></key> tags.
Download pan-python and unpack it:
tar -xzvf pan-python-0.16.0.tar.gz
Note: this can also be installed as a Python package with pip3 install pan-python. But it requires urllib2, which was replaced with urllib3 in Python3.
Give it a spin:
./pan-python-0.16.0/bin/panxapi.py -h myfirewall.mydomain.com -K "LUFRPT1ZTWcxL0F6RngvNkl2eFdDeS9JMjhDUUlGbTg9ZWhlWEtjUFF3UVU1OEViZlJHWDloLzdvL0s4Zm1kU0MvZ1dMTFpnc2xZcz0=" -x -o "<show><routing><route></route></routing></show>"
This will return XML version of the “show routing route” CLI command.