Purpose
This guide explains how to configure Palo Alto Panorama credentials required for integration, including:- Base URL
- Username
- Password
Prerequisites
- Access to the Palo Alto Panorama web interface.
- A Panorama administrator account with permission to create or manage admin users.
- Network connectivity from AirMDR or the configured remote agent to the Panorama management interface.
- HTTPS access enabled on the Panorama management interface.
- Required XML API permissions enabled for the integration user.
Supported Versions
| Component | Supported/Recommended |
|---|---|
| Palo Alto Panorama | PAN-OS 10.x, 11.x, and later supported Panorama versions |
| Authentication Method | Username and Password-based authentication |
| API Type | PAN-OS XML API |
| Connection Protocol | HTTPS |
| Default Port | TCP 443 |
Confirm the exact PAN-OS version and API compatibility with your internal security and network teams before enabling the integration.
Authentication
Palo Alto Panorama uses administrator credentials to authenticate API requests. The integration requires a dedicated Panorama administrator account.Required Credentials
| Credential | Description | Example |
|---|---|---|
| Base URL | Panorama management URL or IP address | https://panorama.example.com |
| Username | Dedicated Panorama administrator username | airmdr_api_user |
| Password | Password for the Panorama administrator account | Stored securely in AirMDR |
Role-Based Access Considerations
Create a dedicated administrator account for the integration instead of using a personal or shared admin account. Recommended access:- Use a custom Panorama Admin Role.
- Enable only the required XML API permissions.
- Prefer read-only access wherever possible.
- Avoid using the default
adminor fullsuperuseraccount unless explicitly required for testing.
| XML API Permission | Recommended Access | Purpose |
|---|---|---|
| Log | Enabled | Retrieve traffic, threat, system, and security logs |
| Report | Enabled | Retrieve available report data |
| Operational Requests | Enabled if required | Run operational queries |
| Configuration | Read-only / limited | Retrieve device and policy context |
| Commit | Disabled | Not required for monitoring integrations |
| Import / Export | Disabled unless required | Avoid unnecessary file-level access |
The exact permissions may vary based on the integration scope. Use least-privilege access wherever possible.
Setup Steps
Identify the Panorama Base URL
- Log in to the Palo Alto Panorama web interface.
Example:
https://<panorama-management-ip> - After logging in, verify the URL in the browser address bar.
- Copy the base URL without any extra path.
Correct format:
https://panorama.example.com
Or:
https://192.168.10.50 - Use this value as the Base URL in AirMDR.
If Panorama is accessed through a private network, VPN, or jump host, ensure the AirMDR remote agent can reach the same Base URL.
Create a Custom Panorama Admin Role
- In the Panorama UI, navigate to Panorama → Admin Roles.
- Click Add.
- Enter a role name.
Example:AirMDR_ReadOnly_API_Role - Set the role scope as
Panorama. - Configure Web UI permissions as required.
- Go to the XML API permission section.
- Enable the required XML API permissions.
Recommended minimum:
- Log
- Report
- Operational Requests
- Configuration, if device or policy context is required
- Disable permissions that are not required, such as:
- Commit
- Import
- Export
- User-ID Agent, unless specifically needed
- Click OK.
- Commit the change if required by your Panorama change process.
Create a Dedicated Panorama Administrator User
- In the Panorama UI, navigate to Panorama → Administrators.
- Click Add.
- Enter the administrator username.
Example:airmdr_api_user - Configure authentication.
You can use either:- Local password authentication
- Authentication Profile, such as LDAP, RADIUS, TACACS+, or SAML, if supported by your organization.
- If using local authentication, enter and confirm the password.
- Under Administrator Type, select
Custom Panorama Admin. - Select the custom role created earlier.
Example:AirMDR_ReadOnly_API_Role - Click OK.
- Commit the change if required.
- Store the username and password securely.
Do not reuse a personal administrator account for integration access.
Validate the Username and Password
Before configuring the integration, verify that the credentials are working.
- Open a browser.
- Go to the Panorama Base URL. Example: https://panorama.example.com
- Log in using the integration username and password.
- Confirm that the user can access Panorama based on the assigned role.
- Log out after validation.
If the login fails, confirm that the account is not locked and the password has not expired.
Integration Credential Requirements
Use the following values in the AirMDR integration configuration screen:| AirMDR Field | Required Value | Where to Obtain |
|---|---|---|
| Base URL | The HTTPS URL or IP address of your Palo Alto Panorama management interface (for example, https://panorama.example.com or https://192.168.1.100) | Copy the URL from your browser after logging in to the Panorama web interface. |
| Username | The dedicated Panorama administrator username created for the integration | Navigate to Panorama → Administrators and use the configured integration account. |
| Password | The password associated with the integration administrator account | Use the password configured when creating or updating the administrator account in Panorama. |
For improved security, create a dedicated read-only administrator account for the integration instead of using the default or personal administrator credentials. Ensure the account has the minimum permissions required for API access.
Validate Connectivity
Use the followingcurl command to verify connectivity and authenticate with the Palo Alto Panorama XML API using the configured Base URL, Username, and Password.
Sample Request
Sample Request
Successful Response
Successful Response
<response status=“success”> <result> <key>LUFRPT14MW5xOEo1R09KV2V5MTIzNDU2Nzg5</key>
</result>
</response>
</result>
</response>
Failed Response (Invalid Credentials)
Failed Response (Invalid Credentials)
<response status=“error”>
<msg> <line>Invalid credentials.</line>
</msg>
</response>
<msg> <line>Invalid credentials.</line>
</msg>
</response>
A successful response confirms that the Panorama management interface is reachable and that the supplied username and password are valid. The returned API key is generated by Panorama for XML API authentication and can be used to verify credential validity.
Configure Palo Alto Panorama in AirMDR Integrations Dashboard
- Navigate to AirMDR, provide the credentials and click Login
- Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations.
- Use the search option, enter the keyword “Palo Alto Panorama”, select the Connections tab, and click + Create button.
- Enter an unique name to the Instance (e.g.,
your org name-PaloAltoPanorama) to easily identify the user connection by AirMDR. - Enter the application credentials like Base URL, User Name and Password in the Authentication Details field params, and click Save.
Skills provided by this Integration
| Skill ID | Purpose |
|---|---|
| Get Palo Alto Panorama Logs | Retrieve logs from Palo Alto Panorama. Submits a log job to the PAN-OS XML API, polls until completion, and returns parsed log entries. Supports standard PAN-OS log types and optional PAN-OS filter syntax for narrowing results. |
Additional Information
🧰 Error Handling
🧰 Error Handling
| Error | Possible Cause | Resolution |
|---|---|---|
| Invalid credentials | Incorrect username or password | Re-enter credentials and validate login in Panorama UI |
| Connection timeout | Network path blocked | Confirm routing, firewall rules, VPN, and TCP 443 access |
| SSL certificate error | Self-signed or untrusted certificate | Use a trusted certificate or configure trusted certificate handling as per company policy |
| Permission denied | Admin role does not have required XML API permissions | Update the custom Admin Role and enable required XML API permissions |
| Empty logs or no data | Log permission missing or no matching logs available | Validate Log API access and confirm logs exist in Panorama |
| Account locked | Too many failed login attempts | Unlock the administrator account from Panorama |
| API request failed | Incorrect Base URL format | Use only the base Panorama URL without /api or UI paths |
🔄 Monitoring & Logs
🔄 Monitoring & Logs
Where to Find Logs in Panorama
- Use the Panorama UI to review access and API activity.
Recommended locations: Monitor → Logs → System - You can filter for API-related activity.
Example filter:(description contains 'API') - You can also review administrator login events from the system logs.
Sample Log Entries
Successful login example:Recommended Log Levels
| Log Type | Recommended Review |
|---|---|
| System logs | Review authentication and API activity |
| Configuration logs | Review admin or role changes |
| Threat / Traffic logs | Validate log availability |
| Audit logs | Track credential and permission changes |
🛑 Security & Access Best Practices
🛑 Security & Access Best Practices
Do
- Create a dedicated administrator account for AirMDR.
- Use least-privilege access.
- Enable only required XML API permissions.
- Use HTTPS for Panorama API communication.
- Store credentials in a secure vault or approved secret manager.
- Rotate passwords based on internal security policy.
- Monitor API and administrator login activity.
- Restrict access by source IP where possible.
- Disable Commit, Import, and Export permissions unless required.
Avoid
- Do not use the default
adminaccount for integrations. - Do not assign full Superuser access unless required for troubleshooting.
- Do not share credentials in email, tickets, or screenshots.
- Do not configure the Base URL with
/api,/index.php, or login page paths. - Do not leave unused integration accounts enabled.
- Do not ignore repeated failed login attempts.
👉 Support & Maintenance
👉 Support & Maintenance
- 📧 Contact AirMDR Support through your designated support channel.
- 🔁 Rotate credentials regularly. Recommended cadence: As per internal security policy
- 🔄 Reconnect in AirMDR when secrets are changed.
- When raising a support request, include:
- Panorama version
- Integration name
- Base URL format, without exposing credentials
- Error message or failed response
- Timestamp of the failed attempt
- Screenshot of the integration status
- Relevant Panorama system log entry
- Update the integration when:
- The Panorama hostname or IP address changes.
- The administrator password is rotated.
- The administrator role is modified.
- PAN-OS or Panorama is upgraded.
- Firewall or device group access scope changes.
- The remote agent or network path changes.
Recommended maintenance tasks:Activity Recommended Frequency Review admin account usage Monthly Rotate password As per company policy Review role permissions Quarterly Validate connection After upgrades or network changes Review failed login attempts Weekly
🛑 Data Flow & Security
🛑 Data Flow & Security
Data Exchanged
| Data Type | Direction | Description |
|---|---|---|
| API Token | AirMDR → Gravwell | Used for authentication. |
| Search Query | AirMDR → Gravwell | Used to retrieve required telemetry. |
| Alerts | Gravwell → AirMDR | Returned if alert read access is configured. |
| Tags / Telemetry Metadata | Gravwell → AirMDR | Used to identify available data sources. |
| Search Results | Gravwell → AirMDR | Used for enrichment and investigation. |
Ports and Endpoints
| Item | Value |
|---|---|
| Protocol | HTTPS |
| Default Port | 443 |
| Instance URL Format | https://<gravwell-hostname> |
| Example API Endpoint | /api/tags |
| Search Parse Endpoint | /api/parse |
| Direct Search Endpoint | /api/search/direct |