Why is the Palo Alto PAN-OS API exemplary?

Palo Alto’s PAN-OS API allows you to manage firewalls. Systems Administrators use it to access and manage firewalls through a third-party service, application, or script.

At Saasyan, we have been developing solutions that integrate deeply with the Palo Alto Networks PAN-OS API. We have a four-year track record with the technology and we think it is a gem and a joy to work with.

The solutions I refer to above comprise our cyber-welfare assurance platform for Palo Alto firewalls – Saasyan Assure, our User-ID broker for Palo Alto firewalls – Saasyan Advance, our software-defined HA/DR solution for Palo Alto networks firewalls – Saasyan Paximus.

Internally, we at Saasyan have come to consider the PAN-OS API to be the gold standard on how APIs should be designed and structured for core IT infrastructure devices. In this blog post I would like to share why this is the case.

Unified API

The PAN-OS and Panorama XML API allow you to manage firewalls and Panorama through a programmatic XML-based API. It is a unified API that allows API based interaction with both Palo Alto Networks Next Gen Firewalls and Panorama (Palo Alto Networks’ Network Security Management Platform). This makes it easier for us to support both platforms (pan ngf and panorama) with our software without having to create and maintain separate modules for panorama.

 

Single Pass Architecture

The Single-Pass Architecture is the overall design approach for Palo Alto Networks Next Generation Firewalls. The architecture enables full, contextual classification of traffic, followed by a rich set of enforcement and threat prevention options. The architecture classifies and controls traffic in a “single pass” through the firewall using a variety of stream-based technology components. This is also reflected in the PAN OS API as all the API calls we make are targeted at one unified engine.

The Palo Alto Networks single-pass architecture stands in contrast to many competitive offers which are typically based on traditional port-based firewall technology. In competitive approaches, next-generation features are often added in a sequence of separate engines which means there are a web proxy engine and an API which is separate and distinct from a stateful inspection firewall engine and an API , etc. In the case of Palo Alto Networks Next Generation Firewalls it is truly one engine and one API. This makes API based integration a joy.

 

Full Access to Functionality and Ease of Use

The PAN-OS XML API allows you to access almost all of the functionality normally provided through the firewall web interface and CLI. Moreover, because PAN-OS XML API functionality mirrors that of both the web interface and the CLI, it’s straightforward to translate what one has to do manually to achieve a specific outcome through the web interface or the CLI to a piece of code that produces the same outcome in a programmatic manner. To explore all various functions of the API, you can use the API browser through the firewall web interface. You can also enable debug mode through the CLI to see the API equivalent of CLI commands.

Often, in school circles you hear IT leaders talk about the complexity of getting applications to speak with one another. Especially if these applications come from different technology vendors. It is open technologies such as Palo Alto’s PAN-OS XML API that allows organisations such as Saasyan to build cyber-welfare assurance platforms such as Saasyan Assure, User-ID brokers such as Saasyan Advance and software-defined HA/DR solutions such as Saasyan Paximus.

We encourage other technology vendors and IT professionals alike to leverage the PAN-OS XML API to integrate, automate, build applications and make what was previously considered next to impossible a reality.