Assess Palo Alto PAN-OS Security with cnspec
Secure and enforce policy for Palo Alto Networks firewalls running PAN-OS
Rely on cnspec to ensure your Palo Alto Networks firewalls and Panorama management platforms follow recommended security and operational best practices, such as verifying active security subscriptions, checking content versions, and confirming the device is in normal operational mode.
Prerequisites
To test a PAN-OS device with cnspec, you must have:
- cnspec installed on your workstation
- Network access to the PAN-OS device management interface
- Valid credentials (username and password) for API authentication
- A user account with appropriate permissions to access the PAN-OS XML API
Give cnspec access to your PAN-OS device
To scan a PAN-OS device, cnspec connects through the PAN-OS XML API over HTTPS. You need to ensure the API is enabled and that you have a user account with API access.
API setup instructions
Step 1: Enable HTTPS on the management interface
cnspec connects to the PAN-OS XML API over HTTPS. SSH to the device and confirm that HTTPS is enabled on the management interface:
ssh YOUR_ADMIN_USER@DEVICE_IP> show interface managementIn the output, look for HTTPS: enabled under the management interface services. If HTTPS is not listed or is disabled, enable it:
> configure
# set deviceconfig system service disable-https no
# commitStep 2: Create a dedicated admin user (recommended)
For least-privilege access, create an admin role that grants only the XML API permissions cnspec needs:
- report — read system and traffic reports
- log — read traffic, threat, and system logs
- op — run operational commands (such as retrieving system info and license status)
- config — read device configuration (required for interface, HA, and certificate resources)
From the CLI, create the role, user, and assign a password:
> configure
# set shared admin-role cnspec-reader role device xmlapi report enable
# set shared admin-role cnspec-reader role device xmlapi log enable
# set shared admin-role cnspec-reader role device xmlapi op enable
# set shared admin-role cnspec-reader role device xmlapi config enable
# set mgt-config users cnspec-reader permissions role-based custom profile cnspec-reader
# set mgt-config users cnspec-reader passwordWithout the config permission, cnspec can still scan the device but will skip resources that require configuration access (such as network interfaces, HA settings, and certificates). To get full coverage from the Mondoo PAN-OS Security policy, enable the config permission.
Enter a strong password when prompted, then commit:
# commitAlternatively, you can use an existing admin account with XML API access.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell panos --hostname firewall.example.com --username cnspec-reader --ask-passTo skip TLS certificate verification (for self-signed certificates):
cnspec shell panos --hostname firewall.example.com --username cnspec-reader --ask-pass --insecureIf you have an existing admin account with XML API access, you can use that instead of the cnspec-reader user created during setup.
If cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--hostname | Hostname or IP address of the PAN-OS device |
--username, -u | Username for authentication (default: "admin") |
--password, -p | Password for authentication |
--ask-pass | Prompt for the password |
--insecure, -k | Skip TLS certificate verification |
Scan PAN-OS devices
To scan a PAN-OS device, use the cnspec scan command:
cnspec scan panos --hostname firewall.example.com --username cnspec-reader --ask-passProvide the password when prompted.
Understand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result.
At the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
To assess your PAN-OS devices against Mondoo's security recommendations, enable the Mondoo Palo Alto Networks PAN-OS Security policy. It covers license management, system configuration, and content version validation. To learn how to enable policies, read Manage Policies. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your PAN-OS device:
cnspec shell panos --hostname firewall.example.com --username cnspec-reader --ask-passBelow are some example checks you can run from the shell.
Ensure the device is in normal operational mode
cnspec> panos.system.operationalMode == "normal" || panos.system.operationalMode == "Normal"
[ok] value: trueEnsure no licenses are expired
cnspec> panos.licenses.where(expired == "yes") == []
[ok] value: []Ensure Threat Prevention license is active
cnspec> panos.licenses.where(feature.downcase.contains("threat") && expired == "no").length > 0
[ok] value: trueEnsure WildFire license is active
cnspec> panos.licenses.where(feature.downcase.contains("wildfire") && expired == "no").length > 0
[ok] value: trueEnsure threat content version is installed
cnspec> panos.system.threatVersion != ""
[ok] value: "8845-8526"Ensure antivirus content version is installed
cnspec> panos.system.avVersion != ""
[ok] value: "4752-5400"Ensure WildFire content version is installed
cnspec> panos.system.wildfireVersion != ""
[ok] value: "828023-831532"Learn more
-
To learn about all the PAN-OS resources and properties you can query, read the PAN-OS Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about PAN-OS, see the Palo Alto Networks documentation.