Mondoo
Docs
Network

Query Palo Alto PAN-OS Devices

Query Palo Alto Networks firewalls and Panorama with cnquery

Rely on cnquery to query configuration and system information from Palo Alto Networks devices running PAN-OS. Connect to individual firewalls or Panorama management servers to discover security policies, system configuration, and device information.

Requirements

To analyze and explore your Palo Alto PAN-OS devices with cnquery, you must have:

  • cnquery installed on your workstation.
  • Network access to the PAN-OS device management interface.
  • Valid credentials (username and password) for API authentication.
  • A user account with appropriate permissions to access the PAN-OS XML API.

Connect to a PAN-OS device

To connect to a Palo Alto firewall or Panorama:

cnquery shell panos --hostname firewall.example.com --username admin --ask-pass

To connect with the password provided directly:

cnquery shell panos --hostname firewall.example.com --username admin --password your-password

To skip TLS certificate verification (for self-signed certificates):

cnquery shell panos --hostname firewall.example.com --username admin --ask-pass --insecure

Connection options

OptionDescription
--hostnameHostname or IP address of the PAN-OS device
--username, -uUsername for authentication (default: "admin")
--password, -pPassword for authentication
--ask-passPrompt for the password
--insecure, -kSkip TLS certificate verification

Example queries

Once connected, you can query information from the PAN-OS device. cnquery automatically detects whether you're connected to a firewall or Panorama.

This query retrieves system information:

cnquery> panos.systemInfo
panos.systemInfo: {
  hostname: "PA-VM"
  serial: "0123456789"
  version: "10.2.3"
  ...
}

This query retrieves the device hostname:

cnquery> panos.systemInfo.hostname
panos.systemInfo.hostname: "PA-VM"

This query retrieves the PAN-OS version:

cnquery> panos.systemInfo.version
panos.systemInfo.version: "10.2.3"

This query retrieves the device serial number:

cnquery> panos.systemInfo.serial
panos.systemInfo.serial: "0123456789"

This query retrieves the platform family:

cnquery> panos.systemInfo["platform-family"]
panos.systemInfo["platform-family"]: "vm"

Exit the cnquery shell

To exit the cnquery shell, either press Ctrl + D or type exit.

Learn more

Cisco Catalyst Center

Query Cisco Catalyst Center (formerly DNA Center) with cnquery

Fortinet FortiOS

Query Fortinet FortiGate firewalls running FortiOS with cnquery

On this page

RequirementsConnect to a PAN-OS deviceConnection optionsExample queriesExit the cnquery shellLearn more