Mondoo
Docs
Network

Query Palo Alto PAN-OS Devices

Query Palo Alto Networks firewalls and Panorama with cnquery

Rely on cnquery to query configuration and system information from Palo Alto Networks devices running PAN-OS. Connect to individual firewalls or Panorama management servers to discover security policies, system configuration, and device information.

Requirements

To analyze and explore your Palo Alto PAN-OS devices with cnquery, you must have:

  • cnquery installed on your workstation
  • Network access to the PAN-OS device management interface
  • Valid credentials (username and password) for API authentication
  • A user account with appropriate permissions to access the PAN-OS XML API
API setup instructions

Step 1: Enable HTTPS on the management interface

cnquery connects to the PAN-OS XML API over HTTPS. SSH to the device and confirm that HTTPS is enabled on the management interface:

ssh YOUR_ADMIN_USER@DEVICE_IP
> show interface management

In the output, look for HTTPS: enabled under the management interface services. If HTTPS is not listed or is disabled, enable it:

> configure
# set deviceconfig system service disable-https no
# commit

For least-privilege access, create an admin role that grants only the XML API permissions cnquery needs:

  • report — read system and traffic reports
  • log — read traffic, threat, and system logs
  • op — run operational commands (such as retrieving system info and license status)
  • config — read device configuration (required for interface, HA, and certificate resources)

From the CLI, create the role, user, and assign a password:

> configure
# set shared admin-role cnquery-reader role device xmlapi report enable
# set shared admin-role cnquery-reader role device xmlapi log enable
# set shared admin-role cnquery-reader role device xmlapi op enable
# set shared admin-role cnquery-reader role device xmlapi config enable
# set mgt-config users cnquery-reader permissions role-based custom profile cnquery-reader
# set mgt-config users cnquery-reader password

Without the config permission, cnquery can still connect but will skip resources that require configuration access (such as network interfaces, HA settings, and certificates). For full resource coverage, enable the config permission.

Enter a strong password when prompted, then commit:

# commit

Alternatively, you can use an existing admin account with XML API access.

Connect to a PAN-OS device

To connect to a Palo Alto firewall or Panorama:

cnquery shell panos --hostname DEVICE_IP --username cnquery-reader --ask-pass

To provide the password directly:

cnquery shell panos --hostname DEVICE_IP --username cnquery-reader --password 'your-password'

To skip TLS certificate verification (for self-signed certificates):

cnquery shell panos --hostname DEVICE_IP --username cnquery-reader --ask-pass --insecure

If you have an existing admin account with XML API access, you can use that instead of the cnquery-reader user created during setup.

Connection options

OptionDescription
--hostnameHostname or IP address of the PAN-OS device
--username, -uUsername for authentication (default: "admin")
--password, -pPassword for authentication
--ask-passPrompt for the password
--insecure, -kSkip TLS certificate verification

Example queries

Once connected, you can query information from the PAN-OS device. cnquery automatically detects whether you're connected to a firewall or Panorama.

This query retrieves system information:

cnquery> panos.system
panos.system: panos.system hostname="PA-VM" model="PA-VM" version="10.2.3"

This query retrieves the device hostname:

cnquery> panos.system.hostname
panos.system.hostname: "PA-VM"

This query retrieves the PAN-OS version:

cnquery> panos.system.version
panos.system.version: "10.2.3"

This query retrieves the device serial number:

cnquery> panos.system.serial
panos.system.serial: "0123456789"

This query retrieves the platform family:

cnquery> panos.system.platformFamily
panos.system.platformFamily: "vm"

Exit the cnquery shell

To exit the cnquery shell, either press Ctrl + D or type exit.

Learn more

Nmap

Query network information using Nmap with cnquery

Ansible

Query Ansible playbooks with cnquery

On this page

RequirementsStep 1: Enable HTTPS on the management interfaceStep 2: Create a dedicated admin user (recommended)Connect to a PAN-OS deviceConnection optionsExample queriesExit the cnquery shellLearn more