•PANOS APIsApril 2011Marc Benoit
•User-ID API detailsExternal system uses SSL/TLS to connect to User-ID AgentExternal system can send user login/logout event info to Agent in XMLAgent
•User-ID API samples - XML Request •<uid-message>•<version>1.0</version>•<type>update</type>•<payload>•<login&g
•User-ID API samples Leverage what already existsMAC logon script pack●Contains PAN::API.pmNew version on the way with error checking etc from MartinG
•User-ID XML API use case:Virtualization Security Visibility
•The Situation Today: Islands of ManagementWorkloadsNetworksPolicies•VM Management•Security Management•Network ManagementGap• No data synchronization
•Palo Alto Networks Eliminates the GapWorkloadsNetworksPolicies•VM Management•Security Management•Network Management• Cross-functional visibility &
•VM-ID vSphere Polling© 2011 Palo Alto Networks. Proprietary and Confidential.Page 16 | vCentervSphere•1. User-ID Agent Polls vCenter or ESX(i)•2.
•User-ID XML API use case:Palo Alto Networks/Enterasys
User-ID requires directory data for User->Group mappingUser->IP Obtained via passive and active mechanismsWindows Security LogsNTLM auth/Captive
User->IP mapping is critical for dynamic security policyMapping mechanisms need to be extended to the actual point of entry on the network●Wired an
•What is an API?API, an abbreviation of Application Programming Interface, is a set of routines, protocols and tools for building software application
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 20 | •Use Case: User-Application Data feed
•XML API use case:Palo Alto Networks/Enterasys
Leverages XML API to extract application data per userPublishes additional meta data to Enterasys NAC applianceThey obtain context regarding applicati
User->App mapping is critical for posture assessment and security compliancePalo Alto Networks rich application data adds depth to Enterasys NAC re
© 2011 Palo Alto Networks. Proprietary and Confidential.Page 24 | •Use Case: User-Application Data feed
•Community Supported ToolsBusiness Development
•BackgroundPalo Alto Networks offers a rich XML APILimited documentation and low adoptionTremendous potential!Emerging markets like Service Providers
•Community Supported ToolsProvide reference implementationsSimplify XML-API use through convenience libraries●Like a CLI for the XML APIScripts and ex
•WebService SDKSDK consists of VM and Source Code PackageIncludes reference implementation of an MSSP Custom PortalUtilizes standard LAMP stack (Linux
•WebService SDKClientServerHTMLWidgetWidgetWidgetWidgetExt.jsMySQL DBWeb Server (Apache)Sample Scripts (PHP)cronSample Scripts (PHP)XML APIJSON© 2011
•Why should I care?SE’s face a myriad of technical sales objections during sales cycleAPI’s can be leveraged to solve complex integration questionsBe
•WebService SDKWhat it’s not……A Replacement for PanoramaA Replacement for the device GUIAn alternative GUI to address a FRWhat does it address?Environ
•PAN-Perl PackagePackage consists of Perl XML-API wrapperSimplifies interactions with XML-API (command line)Provides utility and convenience libraries
•DevCenter CommunityAn online community of Palo Alto Networks Next Generation Firewall UsersCustomersResellers and partnersPalo Alto Networks System E
•DevCenter CommunityOnline Community for customers, partners, employees to share and discuss custom content at:https://live.paloaltonetworks.com/commu
•DevCenter CommunityClick to edit Master text stylesSecond level●Third level●Fourth level●Fifth levelPage 34 | © 2011 Palo Alto Networks. Propriet
•NO•NO•SDK/Tools Support ProcessXML API is part of the productCustomers are entitled to Palo Alto Networks technical support for the XML APIThe DevCen
•Community Supported Tools as a Differentiator•Other vendors provide an API too-CheckPoint (OPSEC) -Juniper (XML)-Fortinet (XML)•Only Palo Alto Netwo
•XML API Enhancements (4.1)Support for Operational CommandsSetting, Showing, Clearing runtime parametersSaving and loading configuration to/from diskR
•XML API Browser (4.1)Click to edit Master text stylesSecond level●Third level●Fourth level●Fifth level
•Demo
•PANOS provides 2 APIs for external systemREST APIExternal system can manage device from remoteCan show/set/edit/delete the device configCan poll ACC/
•REST API detailsExternal system can connect to the device mgmt interface over SSLExternal system can use REST API to see/change device config AND/OR
•REST API samples•Key generation request example:•https://hostname/esp/restapi.esp?type=keygen&user=username&password=password•Key generation
•REST API samples – cont.•Xpath example•xpath=devices/entry/vsys/entry/rulebase/security •Example: Get security rulebase info from device config•http
•REST API samples – cont. •Example : Get Application Top 5 data from ACC•https://hostname/esp/restapi.esp?type=report&reporttype=dynamic&repo
•REST API samples – cont. How can I demonstrate the API?Leverage simple examples in a web browserGet a key:https://10.xx.10.50/esp/restapi.esp?type=ke
Comments to this Manuals