Query Palo Alto PAN-OS Devices
Query Palo Alto Networks firewalls and Panorama with cnquery
Rely on cnquery to query configuration and system information from Palo Alto Networks devices running PAN-OS. Connect to individual firewalls or Panorama management servers to discover security policies, system configuration, and device information.
Requirements
To analyze and explore your Palo Alto PAN-OS devices with cnquery, you must have:
- cnquery installed on your workstation
- Network access to the PAN-OS device management interface
- Valid credentials (username and password) for API authentication
- A user account with appropriate permissions to access the PAN-OS XML API
API setup instructions
Step 1: Enable the XML API
SSH to the PAN-OS device and verify that the HTTPS management service is enabled:
ssh admin@DEVICE_IPThen check the management interface configuration:
> show system setting managementIf HTTPS is not enabled, configure it:
> configure
# set deviceconfig system service disable-https no
# commitStep 2: Create a dedicated admin user (recommended)
For least-privilege access, create a dedicated admin role and user for cnquery from the CLI:
> configure
# set shared admin-role cnquery-reader role xmlapi report enable log enable op enable
# set mgt-config users cnquery-reader permissions role-based custom profile cnquery-reader
# set mgt-config users cnquery-reader passwordEnter a strong password when prompted, then commit:
# commitAlternatively, you can use an existing admin account with API access.
Step 3: Allow HTTPS access to the management interface
Ensure that firewall or network rules allow your workstation to reach the management interface on HTTPS (port 443). If you use a management profile, verify that HTTPS is permitted:
> show system setting managementConnect to a PAN-OS device
To connect to a Palo Alto firewall or Panorama:
cnquery shell panos --hostname DEVICE_IP --username admin --ask-passTo provide the password directly:
cnquery shell panos --hostname DEVICE_IP --username admin --password 'your-password'To skip TLS certificate verification (for self-signed certificates):
cnquery shell panos --hostname DEVICE_IP --username admin --ask-pass --insecureConnection options
| Option | Description |
|---|---|
--hostname | Hostname or IP address of the PAN-OS device |
--username, -u | Username for authentication (default: "admin") |
--password, -p | Password for authentication |
--ask-pass | Prompt for the password |
--insecure, -k | Skip TLS certificate verification |
Example queries
Once connected, you can query information from the PAN-OS device. cnquery automatically detects whether you're connected to a firewall or Panorama.
This query retrieves system information:
cnquery> panos.system
panos.system: panos.system hostname="PA-VM" model="PA-VM" version="10.2.3"This query retrieves the device hostname:
cnquery> panos.system.hostname
panos.system.hostname: "PA-VM"This query retrieves the PAN-OS version:
cnquery> panos.system.version
panos.system.version: "10.2.3"This query retrieves the device serial number:
cnquery> panos.system.serial
panos.system.serial: "0123456789"This query retrieves the platform family:
cnquery> panos.system.platformFamily
panos.system.platformFamily: "vm"Exit the cnquery shell
To exit the cnquery shell, either press Ctrl + D or type exit.
Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about PAN-OS, see the Palo Alto Networks documentation.