5.1.3.2.2.1. Palo Alto Active Integration

To validate the connection to Palo Alto API, you can do the following telnet:

echo -e '\x1dclose\x0d' | telnet <paloalto-ip> 443

The good output would be this one:

opennac:~ user$ echo -e '\x1dclose\x0d' | telnet <paloalto-ip> 443
Trying <paloalto-ip>...
Connected to <paloalto-ip>.
Escape character is '^]'.

telnet> close
Connection closed.

The bad output would be something like the example below, with a timeout. This would represent that there is no connection between the ON Core and the Palo Alto, on port 443.

opennac:~ user$ echo -e '\x1dclose\x0d' | telnet <paloalto-ip> 443
Trying <paloalto-ip>...
telnet: connect to address <paloalto-ip>: Operation timed out
telnet: Unable to connect to remote host

If you have connection, test the credentials used. To test the Palo Alto user and password, we can use the following curl from our ON Core server. If you are on a multi-server deploy, this should be tested from each of the cores that answers authentication requests:

curl -k 'https://<paloalto-ip>/api/?type=keygen&user=<paloalto-user>&password=<paloalto-passwrd>'

The above command output should be enough to let you know if you account is valid or not. Below, we can see a good output. The response status is “success” and we have a key generated.

opennac:~ user$ curl -k 'https://<paloalto-ip>/api/?type=keygen&user=opennac_api&password=opennac_api'
<response status = 'success'><result><key>LUFRPT1WWHN2QmpiZTFrd0hvWVZIMmtpbHNEaXJRZTQ9ejhZSzEyajNDd2VWaW4vanNDanQwZCtQYlhzRWVQVDFYOHNPenFNdGxqRT0=</key></result></response>

Now here, we have an example of auth failed, due to using a bad password. We can see that the status is “error” and we have the result message “Invalid Credentials”.

opennac:~ user$ curl -k 'https://<paloalto-ip>/api/?type=keygen&user=opennac_api&password=opennac_'
<response status = 'error' code = '403'><result><msg>Invalid credentials.</msg></result></response>