Palo Alto Panorama
Starting with TKU March 2026, implicit discovery of network devices through thePalo Alto Panorama XML API is supported.
Supported Discovery versions
All Discovery versions starting with BMC Discovery 24.2 (14.0) are supported. For previous versions or standard scanning, Simple Network Management Protocol (SNMP) remains the primary method.
Prerequisites
Before you start discovering network devices, make sure that you have completed the following configurations:
- An API API key generated in the Panorama console.
- Valid Palo Alto Panorama XML API credentials.
- HTTPS (default port 443) access from Discovery to the Panorama management IP address.
How Palo Alto Panorama works
Devices managed by Palo Alto Panorama are scanned implicitly. Discovery sends requests to the Panorama XML API to retrieve data about the management system itself and all connected firewalls (Managed Devices).
Discovery identifies network devices by running the following API calls:
| API call | API endpoint | Description |
|---|---|---|
Panorama.ShowSystemInfo | {api_url}/api/?type=op&cmd=<show><system><info></info></system></show> | Retrieves system information for the Palo Alto Panorama management instance. |
Panorama.ShowDevicesAll | {api_url}/api/?type=op&cmd=<show><devices><all></all></devices></show> | Retrieves a list of all devices managed by Palo Alto Panorama. |
Panorama.ShowDeviceSystemInfo | {api_url}/api/?type=op&cmd=<show><system><info></info></system></show>&target={serial} | Retrieves system information for a specific managed device. |
Panorama.ShowDeviceInterfaces | {api_url}/api/?type=op&cmd=<show><interface>all</interface></show>&target={serial} | Retrieves all network interfaces for a specific managed device. |
Panorama.ShowDeviceTunnel | {api_url}/api/?type=op&cmd=<show><running><tunnel><flow><all></all></flow></tunnel></running></show>&target={serial} | Retrieves IPsec tunnel information for a specific managed device. |
To run a Palo Alto Panorama XML API scan on an appliance
- Go to Manage > Discovery.
- Click Add New Run.
- Select API > Palo Alto Networks Panorama as the provider.
- Select the appropriate credentials from the list.
- Click OK.
During the implicit scan, a DiscoveryAccess node is created for each network device. The node has the device serial number as an endpoint.
The following example shows a DiscoveryRun visualisation:
The following example shows a list of DiscoveryAccesses:
The following example shows the Palo Alto network device discovered through the Palo Alto XML API:
