Palo Alto Networks

Indeni connects to Palo Alto Network Devices (Log Collector excepted) via PAN-OS XML API/HTTPS and SSH. We recommend assigning the Dynamic role of Superuser or Superuser (read-only) to the Indeni user. This leverages Palo Alto Networks’ fixed privileges and is a a scalable option for future automation scripts to be successfully utilized by the Indeni system.

In the event that a Custom role need to be defined, it is preferred to include privileges that allow for flexibility and growth when Indeni’s Knowledge scripts expand to include more enhanced functionality. However, the following are minimum access requirements and must be enabled within the profile.

WebUI: No minimum requirements (all disabled)
XML API: Operational Request
Command Line: devicereader

If you need assistance creating a user on your Palo Alto Networks device, please refer to Palo Alto’s website.

Indeni recommends that credentials set for Palo Alto Network devices are left with the default privilege of Superuser (Read-Only), and dynamic-based control.

Indeni is read-only and does not make any changes to the device’s configurations or policies. As such, we recommend leaving the credentials with our regular recommendations as Indeni will continue to expand its knowledge base and it is preferred to give the Indeni credentials enough flexibility should any of Indeni’s new knowledge scripts require access to new API and SSH commands that are otherwise strictly defined with custom roles.

However, should internal policies require that Indeni utilize the minimum available privileges required to collect and analyze data from the devices, we recommend to follow the guidance below in terms of creating custom credentials:

The only options that enabled are:

XML APIOperational Request
Command Linedevicereader

Command Line: devicereader