Assess Palo Alto PAN-OS Security with cnspec
Secure and enforce policy for Palo Alto Networks firewalls running PAN-OS
Rely on cnspec to ensure your Palo Alto Networks firewalls and Panorama management platforms follow recommended security and operational best practices, such as verifying active security subscriptions, checking content versions, and confirming the device is in normal operational mode.
Prerequisites
To test a PAN-OS device with cnspec, you must have:
- cnspec installed on your workstation
- Network access to the PAN-OS device management interface
- Valid credentials (username and password) for API authentication
- A user account with appropriate permissions to access the PAN-OS XML API
Give cnspec access to your PAN-OS device
To scan a PAN-OS device, cnspec connects through the PAN-OS XML API over HTTPS. You need to ensure the API is enabled and that you have a user account with API access.
API setup instructions
Step 1: Enable HTTPS on the management interface
cnspec connects to the PAN-OS XML API over HTTPS. SSH to the device and confirm that HTTPS is enabled on the management interface:
ssh YOUR_ADMIN_USER@DEVICE_IP> show interface managementIn the output, look for HTTPS: enabled under the management interface services. If HTTPS is not listed or is disabled, enable it:
> configure
# set deviceconfig system service disable-https no
# commitStep 2: Create a dedicated admin user (recommended)
For least-privilege access, create an admin role that grants only the XML API permissions cnspec needs:
- report — read system and traffic reports
- log — read traffic, threat, and system logs
- op — run operational commands (such as retrieving system info and license status)
- config — read device configuration (required for interface, HA, and certificate resources)
From the CLI, create the role, user, and assign a password:
> configure
# set shared admin-role cnspec-reader role device xmlapi report enable
# set shared admin-role cnspec-reader role device xmlapi log enable
# set shared admin-role cnspec-reader role device xmlapi op enable
# set shared admin-role cnspec-reader role device xmlapi config enable
# set mgt-config users cnspec-reader permissions role-based custom profile cnspec-reader
# set mgt-config users cnspec-reader passwordWithout the config permission, cnspec can still scan the device but will skip resources that require configuration access (such as network interfaces, HA settings, and certificates). To get full coverage from the Mondoo PAN-OS Security policy, enable the config permission.
Enter a strong password when prompted, then commit:
# commitAlternatively, you can use an existing admin account with XML API access.
Test your connection
Before running a full scan, verify that cnspec can connect by opening a cnspec shell:
cnspec shell panos --hostname firewall.example.com --username cnspec-reader --ask-passTo skip TLS certificate verification (for self-signed certificates):
cnspec shell panos --hostname firewall.example.com --username cnspec-reader --ask-pass --insecureIf you have an existing admin account with XML API access, you can use that instead of the cnspec-reader user created during setup.
If cnspec connects successfully and shows a prompt, you're ready to scan.
Connection options
| Option | Description |
|---|---|
--hostname | Hostname or IP address of the PAN-OS device |
--username, -u | Username for authentication (default: "admin") |
--password, -p | Password for authentication |
--ask-pass | Prompt for the password |
--insecure, -k | Skip TLS certificate verification |
Scan PAN-OS devices
To scan a PAN-OS device, use the cnspec scan command:
cnspec scan panos --hostname firewall.example.com --username cnspec-reader --ask-passProvide the password when prompted.
Scan with the Mondoo PAN-OS Security policy
Mondoo maintains an out of the box Palo Alto Networks PAN-OS Security policy that checks license management, system configuration, and content version validation.
Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "PAN-OS", and add the policy. All future scans of your PAN-OS devices automatically evaluate against it. To learn more, read Manage Policies.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan panos --hostname firewall.example.com --username cnspec-reader --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-panos-security.mql.yamlYou can also create your own policies to meet your specific requirements.
Example checks
You can interactively explore and test checks using the cnspec shell. To open a shell connected to your PAN-OS device:
cnspec shell panos --hostname firewall.example.com --username cnspec-reader --ask-passBelow are some example queries and checks you can run from the shell. cnspec automatically detects whether you're connected to a firewall or Panorama.
Retrieve system information
cnspec> panos.system
panos.system: panos.system hostname="PA-VM" model="PA-VM" version="10.2.3"Retrieve the device hostname
cnspec> panos.system.hostname
panos.system.hostname: "PA-VM"Retrieve the PAN-OS version
cnspec> panos.system.version
panos.system.version: "10.2.3"Retrieve the device serial number
cnspec> panos.system.serial
panos.system.serial: "0123456789"Retrieve the platform family
cnspec> panos.system.platformFamily
panos.system.platformFamily: "vm"Ensure the device is in normal operational mode
cnspec> panos.system.operationalMode == "normal" || panos.system.operationalMode == "Normal"
[ok] value: trueEnsure no licenses are expired
cnspec> panos.licenses.where(expired == "yes") == []
[ok] value: []Ensure Threat Prevention license is active
cnspec> panos.licenses.where(feature.downcase.contains("threat") && expired == "no").length > 0
[ok] value: trueEnsure WildFire license is active
cnspec> panos.licenses.where(feature.downcase.contains("wildfire") && expired == "no").length > 0
[ok] value: trueEnsure threat content version is installed
cnspec> panos.system.threatVersion != ""
[ok] value: "8845-8526"Ensure antivirus content version is installed
cnspec> panos.system.avVersion != ""
[ok] value: "4752-5400"Ensure WildFire content version is installed
cnspec> panos.system.wildfireVersion != ""
[ok] value: "828023-831532"Learn more
-
To learn about all the PAN-OS resources and properties you can query, read the PAN-OS Resource Pack Reference.
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
For more information about PAN-OS, see the Palo Alto Networks documentation.