Setup API Access to Palo Alto Networks VM-Series

Follow the following steps to enable Palo Alto Networks API programming.

1. Enable Ping

Make sure Palo Alto Networks management interface has ping enabled and the instance’s security group has ICMP policy open to the Aviatrix Controller’s public IP address.

At the Palo Alto VM-Series console,

  1. Click Device
  2. Click Interfaces
  3. Click Management
  4. Make sure the setup is as following screenshot.


2. Create API Administrator Role Profile

  1. Create a new role profile and name it Aviatrix-API-Role: Go to Device -> Admin Roles -> +Add
  2. Click XML/REST API
  3. Click Report, Configuration, Operation Requests and Commit
  4. Click Commit.


3. Add an Administrator for API

At the VM-Series Console, go to Device -> Administrators -> +Add, to add an administrator for Role Based access as shown below. Use the profile created in previous step.


5. Configure on the Aviatrix Controller

Login to the Aviatrix Controller, go to Firewall Network -> Vendor Integration. Configure the following parameters and click Save.

Setting Value
Transit VPC ID The Transit VPC ID for the Transit DMZ deployment. .
Firewall instance ID The firewall EC2 instance ID. Aviatrix Controller monitors the health of this instance and determines fail over when it becomes unreachable.
Firewall Name (Optional) A name to remember.
Firewall Vendor Type Select PAN
Firewall Login User Name firewall login name for API calls from the Controller. For example, admin-api, as shown in the screen shot.
Firewall Login Password firewall login password for API calls.
Firewall Management IP Address The public IP address of the firewall management interface for API calls from the Aviatrix Controller
Firewall Virtual Router name (Optional) Specify the firewall virtual Router name you wish the Controller to program. If left unspecified, the Controller programs the firewall’s default router.

4. API calls

The integrated functions by the Controller are the followings:

  • The Controller monitors the health of Palo Alto Network software by using the VM-series API and performs switch over based on the API return status.
  • The Controller dynamically programs Palo Alto Network route tables for any new propagated new routes discovered both from new Spoke VPCs and new on-premise routes.

Example of Palo Alto Networks API used:

  1. get key:
  1. get route tables:[@name='localhost.localdomain']/network/virtual-router/entry[@name='default']&key=LUFRPT1YQk1SUlpYT2xIT3dqMUFmMlBEaVgxbUxwTmc9RFRlWncrbURXZVpXZUUyMFE3V3ZWVXlaSlFvdkluT2F4dzMzWUZpMGtZaz0=&action=get
  1. show interfaces:<show><interface>ethernet1/2</interface></show>
  1. add route:[@name='localhost.localdomain']/network/virtual-router/entry[@name='default']/routing-table/ip/static-route/entry[@name='test2']&key=LUFRPT1BbkNIbXJZNlVBOVdRMXNMSUNVRis1VWRHaTA9RFRlWncrbURXZVpXZUUyMFE3V3ZWU2ZEZzdCNW8yUEpwU3Q1NXEzeDBnST0=&action=set&element=<nexthop><ip-address></ip-address></nexthop><bfd><profile>None</profile></bfd><path-monitor><enable>no</enable><failure-condition>any</failure-condition><hold-time>2</hold-time></path-monitor><metric>10</metric><destination></destination><route-table><unicast/></route-table>
  1. delete route:[@name='localhost.localdomain']/network/virtual-router/entry[@name='default']/routing-table/ip/static-route/entry[@name='test2']&key=LUFRPT1BbkNIbXJZNlVBOVdRMXNMSUNVRis1VWRHaTA9RFRlWncrbURXZVpXZUUyMFE3V3ZWU2ZEZzdCNW8yUEpwU3Q1NXEzeDBnST0=&action=delete
  1. commit<commit></commit>