Palo Alto PAN-OS
Description
The Palo Alto PAN-OS connector uses the PAN-OS REST API over HTTPS to discover device administrator accounts and their assigned admin roles or permission profiles on Palo Alto Networks firewalls and Panorama management servers. It authenticates using an API key and classifies superuser and device administrator roles as privileged.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 200 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| REST API (HTTPS) | 443 TCP | API key via X-PAN-KEY request header; self-signed certs accepted |
What OrbisID Discovers
| Data | Source |
|---|---|
| Device administrator accounts | GET /restapi/v10.2/Device/DeviceAdministrators |
| Admin role profiles | Derived from role attribute per administrator |
| Superuser classifications | superuser and superreader role detection |
| Memberships | User-to-role-profile associations |
Connection Requirements
Required Permissions
Generate a PAN-OS API key for a read-only device administrator account.
Minimum permissions:
- Device administrator with read-only superreader role; or a custom admin role with read access to device configuration
Credential Mapping
| OrbisID Field | Value |
|---|---|
credential.password | PAN-OS API key |
system.hostname | Firewall or Panorama management IP / hostname |
Network Requirements
The OrbisID server must have HTTPS access to the PAN-OS management interface on port 443. Self-signed TLS certificates are accepted automatically.
Configuration Steps
- Generate a PAN-OS API key for the scanning administrator:
Copy the
GET https://{hostname}/api/?type=keygen&user={username}&password={password}<key>value from the XML response. - Create a Credential in OrbisID:
- Password: PAN-OS API key
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., Palo Alto PAN-OS – Edge Firewall) |
| OS Type | PaloAltoPanos |
| System Type | Infrastructure |
| Hostname | Management interface IP or hostname |
| Credential | The API key credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
403 Forbidden | Invalid or expired API key | Regenerate the API key using the /api/?type=keygen endpoint |
| No accounts returned | Read-only role lacks admin view | Use a superreader or equivalent role |
| Cannot connect | REST API not enabled | Enable REST API under Device → Setup → Management |
SSL certificate error | OrbisID rejecting self-signed cert | OrbisID uses trust-all SSL for PAN-OS; restart the scanner if needed |