Palo Alto Generate Api Key
Users are unable to generate API keys or use basic authentication when using XML API. The users may get one of the following errors:
– Invalid Credentials
– Missing value for parameter password
– Unable to resolve hostname (running from cURL from command line)
The same username and password would work for the SSH and web interface logins.
Example:
$ curl -k 'http://10.129.80.155/api/?type=keygen&user=user01&password=user#01'
<response status = 'error' code = '403'><result><msg>Invalid credentials.</msg></result></response>
Or you may get a missing parameter error:
Example:
$ curl -k 'http://10.129.80.155/api/?type=keygen&user=user02&password=#02user'
<response status = 'error' code = '400'><result><msg>Missing value for parameter "password".</msg></result></response>
Or when using basic authentication, you would get unable to resolve host name:
$curl -k 'http://user01:user#01@10.129.80.155//api/?type=op&cmd=<show><system><info></info></system></show>'
curl: (6) Could not resolve host: user01 <<<<<<
https://198.51.100.1/api/?type=keygen&user=apiuser&password=&apiuser (ran in browser)
Get Your API Key. To use the API, you must generate the API key required for authenticating API calls. Then, when you use this API key in your request, you can either provide the URL encoded API key in the request URL, or use the custom. X-PAN-KEY: key. Parameter to add the key as a name-value pair in the HTTP header.
https://198.51.100.1/api/?type=keygen&user=apiuser&password=api#user (ran in browser)
API’s are very important to Palo Alto Networks. Security automation is key to the success of any organization in preventing cyber attacks. So Palo Alto Networks products have comprehensive APIs to enable automation. In this lab we’ll focus on the PAN-OS API, which is the API for the Palo Alto Networks Next-generation Firewall and Panorama Management Center. When connecting to the PAN-OS API. Global Protect API to generate ticket Anyone had any luck with the following API call. Trying to make front end for the helpdesk to be able to generate tickets to disable global protect if needed. CA certificate: If you want to use a security certificate, select the checkbox and enter your certificate to establish a trusted SSL connection between the Palo Alto Networks Pan-OS and USM Anywhere. API key: Enter the API key that you generated in Palo Alto Networks Pan-OS.
Cause
In all the cases the password contains special characters. The API key generation will fail when the password contains special characters such as # and &. This is not a PAN-OS specific issue. This is due to the way browsers and cURL handle special characters. This is because these are reserved characters used as general or sub delimiters.
RFC defining list of delimiters: https://tools.ietf.org/html/rfc3986#section-2.2
RFC: https://tools.ietf.org/html/rfc3986#section-3.5
In section 3.5: A fragment identifier component is indicated by the presence of a number sign '#' character and terminated by the end of the URL. Now, look at cURL official documents: https://curl.haxx.se/.
Curl supports fragments fine when a URL is passed to it, but the fragment part is never actually sent over the wire, so it doesn't make a difference to cURL's operations whether it is present or not. Hence, the '#' is never sent across the wire, resulting in such behavior.
When these are used without URL encoding, you can see that the browser does not actually send the entire URL (password in this case). In the below examples, HTTP was enabled for demonstration purposes, and the ease of packet captures show the HTTP payload.
Example 1: username: user2 and password: user&2
Browser:
Packet capture taken at the client sending the GET request:
If you look at the password section, the browser truncates the password at 'user.'
Example 2: username: user3 and password user#3
Browser:
Packet capture taken at the client sending the GET request:
If you look at the password section, the browser truncates the password at 'user.' Hence, the issue is due to the interpretation of special characters by browsers and cURL.
Palo Alto Documentation
ResolutionPalo Alto Generate Api Key Map
Here is a quick reference of reserved character set:
If the data for a URI component would conflict with a reserved character's purpose as a delimiter, then the conflicting data must be URI encoded. In this case, if the password contains reserved characters, they have to be encoded and then used as input.
For instance, if the password contains special characters such as '#' and '&,' use the URL encode %23 and %26 respectively.
Microsoft project 2016 standard retail key generator. Certainly, it takes some time to learn more complex aspects of the program, but this time the training can benefit the team.Microsoft Project 2016 Crack also has project budgets, which helps managers estimate the total cost of the project.
Example API Request:
https://198.51.100.1/api/?type=keygen&user=apiuser&password=api%23user
Additional Information
For additional information, here are some articles for reference:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key
For easy encode and decode of URIs:
https://www.url-encode-decode.com/
For the list of all special character encoding for HTML:
https://www.w3schools.com/tags/ref_urlencode.asp
Attachments