Palo Alto Networks Firewall

Community Platform

runZero integrates with Palo Alto Networks Firewall using the PAN-OS XML API to provide additional network visibility, enhance network context, and improve reporting.

Getting started

To set up the Palo Alto Networks Firewall integration, you’ll need to:

Create or obtain API Keys to use with the Palo Alto Networks Firewall XML API.
Add the Palo Alto Networks Firewall API key in runZero.
Perform Palo Alto Networks Firewall synchronization

Requirements

Before you can set up the Palo Alto Networks Firewall integration, make sure you have API Key for your PAN OS XML.
Scan your Palo Alto Networks Firewall with a runZero Explorer if you want to use trusted authentication (optional).

Step 1: Add the Palo Alto Networks Firewall credential to runZero

Go to the Add credential page in runZero. Provide a name for the credentials, like PAN-OS Firewall.
Choose Palo Alto Networks Firewall API Key from the list of credential types.
Provide the following information:
- Palo Alto Networks API key - The API key you want to use with the Palo Alto Networks Firewall integration. Ensure the XMLAPI is enabled by following the steps in this guide: https://docs.paloaltonetworks.com/ngfw/api/api-authentication-and-security/pan-os-api-authentication. Once the XMLAPI is enabled, you can generate the API key by following the steps in this guide: https://docs.paloaltonetworks.com/ngfw/api/api-authentication-and-security/generate-api-key
- Palo Alto Networks insecure - Set this to Yes if you want to attempt authentication without a verified thumbprint.
- Palo Alto Networks thumbprints (optional) - A set of IP[:port]=SHA256:B64HASH or hostname.domain.tld=SHA256:B64HASH pairs to trust for authentication.
  - You will need to scan your Palo Alto Networks firewalls with runZero in order to obtain the TLS thumbprint. The TLS fingerprints service attribute report lists all previously seen fingerprints.
- CIDR allow list - Set which IP addresses this API Key will be sent to in the CIDR allow list.
If you want all other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
Save the credential.

You’re now ready to set up and activate the connection to bring in data from Palo Alto Networks Firewall.

Step 2: Performing Palo Alto Network synchronization

Once you have defined your Palo Alto Networks Firewall API key credentials, the second step is to enable Palo Alto Networks Firewall synchronization as part of a scan task. Any task which includes scanning the Palo Alto Networks Firewalls can be used to synchronize PAN-OS data.

The Probes tab of the scan setup has a section for enabling and disabling the Palo Alto Networks probe. The probe must be enabled for Palo Alto Networks synchronization to work; it is enabled by default.

On the Credentials tab of the scan setup, use the toggle switch to enable the appropriate set of Palo Alto Networks credentials.

When the scan runs, the Explorer will use the credentials to authenticate with any Palo Alto Networks Firewall it finds that the credentials are configured to trust. Data about Palo Alto Networks Firewall will be imported into runZero automatically, and merged with the other information runZero finds by scanning.

Step 3: View Palo Alto Networks Firewall assets

To filter by Palo Alto Networks Firewall assets, consider running the following queries:

View all Palo Alto Networks Firewall assets:

source:pan

Click into each asset to see its individual attributes. runZero will show you the attributes returned by Palo Alto Networks.

Updated October 31, 2025

Previous: Qualys VMDR Next: Palo Alto Prisma Cloud