Skip to main content

Palo Alto Networks Discovery

The Infracast Palo Alto plugin uses the PAN-OS XML API to retrieve firewall configuration and operational data. It supports both standalone firewalls and Panorama-managed deployments. Authentication is via API key.

How It Works

  1. Infracast authenticates to the PAN-OS management API using an API key
  2. Configuration is retrieved via GET /api/?type=config&action=get
  3. Operational data (interfaces, sessions, HA state) is retrieved via operational commands
  4. For Panorama, configuration is pulled per device group and template

API Key Generation

Infracast requires an API key tied to a read-only admin account on the firewall or Panorama.

Step 1: Create a Read-Only Admin Account

Via CLI (SSH to the firewall):

# SSH into the firewall
ssh admin@fw01.example.com

# Create a read-only role profile
set role-based-access-control role infracast-ro role vsys-reader
set role-based-access-control role infracast-ro xml-api config enable
set role-based-access-control role infracast-ro xml-api op enable
set role-based-access-control role infracast-ro xml-api get enable
set role-based-access-control role infracast-ro xml-api report enable
set role-based-access-control role infracast-ro xml-api export enable

# Create the admin user
set mgt-config users infracast password
# (enter password when prompted)
set mgt-config users infracast permissions role-based vsys vsys1
set mgt-config users infracast permissions role-based role infracast-ro

# Commit
commit

Via GUI:

  1. Go to Device → Administrators → Add
  2. Name: infracast, type: Role Based
  3. Create a role at Device → Admin Roles → Add:
    • Name: infracast-ro
    • Role type: Device
    • XML API: enable Read for all tabs
    • Web UI: disable (not needed)
  4. Assign the role to the infracast user

Step 2: Generate the API Key

# Generate API key using curl
curl -k -X GET \
  "https://fw01.example.com/api/?type=keygen&user=infracast&password=YourPassword" \
  | grep -o '<key>.*</key>'

Expected response:

<response status="success">
  <result>
    <key>LUFRPT1YbXhVOGV4...</key>
  </result>
</response>

Save the key value — this is what you'll register in Infracast.

tip

API keys do not expire by default on PAN-OS. However, they are invalidated if the admin account's password is changed or the account is deleted. Rotate keys by generating a new one and updating the Infracast credential.

Registering the Credential in Infracast

# Register the API key
infracast creds add \
  --plugin palo-alto \
  --name "fw01-prod" \
  --type panos-api-key \
  --host "fw01.example.com" \
  --api-key-file /run/secrets/panos-fw01-apikey \
  --tls-verify true \
  --ca-cert-file /run/secrets/panos-ca.pem   # optional, for custom CA

Configuring the Discovery Job

Standalone Firewall

infracast.yaml
discovery:
  jobs:
    - name: paloalto-fw01
      plugin: palo-alto
      credential: fw01-prod
      schedule: "0 */4 * * *"
      config:
        mode: standalone
        host: "fw01.example.com"
        port: 443
        tls_verify: true
        vsys:
          - vsys1    # list specific vsys, or leave empty for all
        collect:
          security_rules: true
          nat_rules: true
          decryption_rules: true
          zones: true
          interfaces: true
          routing: true
          objects: true     # address objects, service objects, groups
          applications: true
          threat_profiles: true
          ha_state: true

Panorama-Managed Deployment

discovery:
  jobs:
    - name: paloalto-panorama
      plugin: palo-alto
      credential: panorama-prod
      schedule: "0 */4 * * *"
      config:
        mode: panorama
        host: "panorama.example.com"
        port: 443
        tls_verify: true
        # Discover all device groups, or specify specific ones
        device_groups:
          - "Production-DG"
          - "DMZ-DG"
        # Include template configurations
        templates:
          - "Production-Template"
        # Optionally push discovery down to managed firewalls
        discover_managed_devices: true

What Gets Discovered

CategoryResource Types
Security PoliciesSecurity rules (name, source/dest zones, source/dest addresses, applications, services, action, profiles, tags, logging)
NAT PoliciesNAT rules (type: static/dynamic/U-turn, source/dest translation, interface bindings)
Decryption PoliciesDecryption rules, SSL/TLS inspection profiles
ZonesZone name, type (layer2/layer3/tap/tunnel/vwire), associated interfaces, zone protection profiles
InterfacesPhysical and logical interfaces (IP, type, zone assignment, VLAN, state)
RoutingVirtual routers, static routes, OSPF/BGP config, routing table
ObjectsAddress objects, Address groups, Service objects, Service groups, Application filters
URL FilteringURL filtering profiles, custom URL categories
Threat PreventionAntivirus profiles, Anti-spyware profiles, Vulnerability protection profiles, WildFire settings
HAHA mode (active/active, active/passive), HA state, peer information
CertificatesCertificate inventory, expiry dates
LogsLog forwarding profiles, syslog server config (metadata only)
PanoramaDevice groups, Templates, Template stacks, Managed device list

Troubleshooting

Authentication failed / 403 response

Symptom: Error: API call failed: 403 Forbidden or Invalid credentials

Checks:

  1. Verify the API key is correct and not truncated: 
    curl -k "https://fw01.example.com/api/?type=op&cmd=<show><system><info></info></system></show>&key=YOUR_API_KEY"
  2. Verify the infracast admin account is not locked out (failed login attempts): 
    show admins
  3. Verify the admin role has XML API access enabled

TLS certificate errors

Symptom: Error: x509: certificate signed by unknown authority

Option A: Provide the firewall's CA cert:

infracast creds update --name "fw01-prod" \
  --ca-cert-file /run/secrets/panos-ca.pem

Option B: Disable TLS verification (not recommended for production):

config:
  tls_verify: false
warning

Disabling TLS verification exposes Infracast to MITM attacks. Only use this for testing or when connecting over a fully trusted management network.

Missing security rules or objects

Symptom: The firewall has rules in the GUI but they don't appear in Infracast

Cause: Rules may be in a different vsys or device group.

Fix: List all vsys on the device and include them all:

curl -k "https://fw01.example.com/api/?type=op&cmd=<show><vsys><list/></vsys></show>&key=YOUR_KEY"
config:
  vsys: []   # empty list = discover all vsys

Panorama: managed devices not discovered

Symptom: Panorama discovery succeeds but individual firewall details are missing

Fix: Enable discover_managed_devices and ensure the Infracast collector can reach each managed firewall:

config:
  discover_managed_devices: true
  managed_device_timeout_seconds: 60

If managed firewalls are on a different network segment, they may need separate credentials and jobs:

discovery:
  jobs:
    - name: paloalto-panorama
      plugin: palo-alto
      credential: panorama-prod
      config:
        mode: panorama
        discover_managed_devices: false   # discover Panorama config only

    - name: paloalto-fw01-direct
      plugin: palo-alto
      credential: fw01-direct-cred
      config:
        mode: standalone
        host: "fw01-internal.example.com"

High API call latency

Symptom: Discovery jobs take longer than expected; logs show API timeouts

Cause: Large rulebase or many objects increases API response time.

Fix: Increase the timeout and reduce job frequency:

config:
  api_timeout_seconds: 120   # default: 30
  api_rate_limit_rps: 2      # reduce concurrent API calls

Certificate near-expiry warnings

Infracast monitors TLS certificates inventoried from Palo Alto and raises warnings for any expiring within 30 days. These appear in the Alerts section of the Infracast UI. No additional configuration needed.