CLI and XML API Changes in PAN-OS 8.0
PAN-OS 8.0 has changes to existing CLI commands, which also affect corresponding PAN-OS XML API requests. If you have a script or application that uses these requests, run corresponding CLI commands in debug mode to view the corresponding XML API syntax.
Operational commands are preceded by a greater-than sign ( > ), while configuration commands are preceded by a hash ( # ). An asterisk ( * ) indicates that related commands in the same hierarchy have also changed.
Authentication CLI and XML API Changes
PAN-OS 8.0 has the following CLI and XML API changes for Authentication features:
Feature Change
Authentication policy With Authentication policy replacing Captive Portal policy, the related CLI commands have changed: PAN-OS 7.1 and earlier releases: > show running captive-portal-policy > test cp-policy-match * # show rulebase captive-portal * # set import resource max-cp-rules <0-4000> # set rulebase captive-portal * # set shared admin-role <name> role device webui policies captive-portal-rulebase <enable|read-only|disable> # set import resource max-cp-rules <0-4000> PAN-OS 8.0 release: > show running authentication-policy > test authentication-policy-match * # show rulebase authentication * # set import resource max-auth-rules <0-4000> # set rulebase authentication rules * # set shared admin-role <name> role device webui policies authentication-rulebase <enable|read-only|disable> # set import resource max-auth-rules <0-4000>
Certificate management With the introduction of decryption for Elliptical Curve Cryptography (ECC) Certificates, the following CLI command has been replaced with two algorithm-specific commands: PAN-OS 7.1 and earlier releases: # set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size <0|1024|2048> PAN-OS 8.0 release: # set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-rsa <0|1024|2048> # set deviceconfig setting ssl-decrypt fwd-proxy-server-cert-key-size-ecdsa <0|256|384>
Hardware security modules CLI commands related to SafeNet Network HSM (formerly Luna SA) now reflect the new name: PAN-OS 7.1 and earlier releases: # show deviceconfig system hsm-settings provider safenet-luna-sa * # set deviceconfig system hsm-settings provider safenet-luna-sa * PAN-OS 8.0 release: # show deviceconfig system hsm-settings provider safenet-network * # set deviceconfig system hsm-settings provider safenet-network *
Content Inspection CLI and XML API Changes
PAN-OS 8.0 has the following CLI and XML API changes for content inspection features:
Feature Change
Malicious IP address feeds With new support for malicious IP address feeds, related CLI commands have changed to support IP addresses, URLs, and domains: PAN-OS 7.1 and earlier releases: # set external-list <name> * PAN-OS 8.0 release: # set external-list <name> type ip * # set external-list <name> type predefined-ip * # set external-list <name> type domain * # set external-list <name> type url *
Applications and threats ( PAN-OS 8.0.4 only ) The XML API call for retrieving detailed information on applications and threats from the firewall has changed: PAN-OS 8.0.3 and earlier releases: https://<firewall>/api/?type=config&action=get&xpath=/config/predefined/threats PAN-OS 8.0.4 and later releases: https://<firewall>/api/?type=op&cmd=<show><predefined><xpath>/predefined/threats</xpath></predefined></show>
GlobalProtect CLI and XML API Changes
PAN-OS 8.0 has the following CLI and XML API changes for GlobalProtect features:
Feature Change
IPv6 support With the introduction of IPv6 support in GlobalProtect, the following CLI commands have been replaced with two protocol-specific commands: PAN-OS 7.1 and earlier releases: # set global-protect global-protect-portal <name> portal-config local-address ip <value> PAN-OS 8.0 release: # set global-protect global-protect-portal <name> portal-config local-address ip ipv4 <value> # set global-protect global-protect-portal <name> portal-config local-address ip ipv6 <value> PAN-OS 7.1 and earlier releases: # set global-protect global-protect-portal <name> portal-config local-address floating-ip <value> PAN-OS 8.0 release: # set global-protect global-protect-portal <name> portal-config local-address floating-ip ipv4 <value> # set global-protect global-protect-portal <name> portal-config local-address floating-ip ipv6 <value>
Management CLI and XML API Changes
PAN-OS 8.0 has the following CLI and XML API changes for firewall and Panorama management features:
Feature Change
Log retention on Log Collectors ( PAN-OS 8.0.2 and later releases ) The operational command to determine the effective log retention periods on Log Collectors has changed. In certain cases, the effective retention period for each log type differs from its configured retention period ( Panorama > Collector Groups > <Collector_Group> > General > Log Storage). This happens when the amount of used storage approaches the maximum quota for a log type, forcing the Log Collector to delete the oldest logs of that type even if those logs don’t exceed the configured retention period. The Log Collector deletes old logs to clear space for new logs. PAN-OS 8.0.1 and earlier releases: > show system logdb-quota PAN-OS 8.0.2 and later releases: On Dedicated Log Collectors, the command is: > show log-collector-es-indices On the Panorama management server (local Log Collectors), the command for each Collector Group is: > show log-collector-es-indices log-collector-grp-name <CG_name> You can determine the effective retention periods by checking the dates of the Oldest indices in the command output. Each index has the format pan_<year><month><day>_<log_type> , where <year><month><day> indicates the date of the index. In the following example, the oldest Configuration and System logs ( cfgsys ) are dated February 2, 2017 ( 20170202 ) and the oldest Traffic Summary logs ( trsum ) are dated February 14, 2017 ( 20170214 ). Oldest indices: pan_20170202_cfgsys_0007se00004 pan_20170214_trsum_0007se00004
Log forwarding With the introduction of selective log forwarding based on log attributes, you must now specify the name of a custom-filter match list in related CLI commands: PAN-OS 7.1 and earlier releases: # show shared log-settings system * # set shared log-settings system * # show shared log-settings config * # set shared log-settings config * # show shared log-settings hipmatch * # set shared log-settings hipmatch * # show shared log-settings profiles <name> * # set shared log-settings profiles <name> * PAN-OS 8.0 release: # show shared log-settings system match-list * # set shared log-settings system match-list * # show shared log-settings config match-list * # set shared log-settings config match-list * # show shared log-settings hipmatch match-list * # set shared log-settings hipmatch match-list * # show shared log-settings profiles <name> match-list * # set shared log-settings profiles <name> match-list *
User-ID CLI and XML API Changes
PAN-OS 8.0 has the following CLI and XML API changes for User-ID features:
Feature Change
IP address-to-username mapping The operational command to clear User-ID mappings for all IP addresses or a specific IP address has changed: PAN-OS 7.1 and earlier releases: > clear user-cache [all | ip] PAN-OS 8.0 release: > clear ipuser-cache [all | ip] The User-ID commands to clear user mappings from the dataplane have changed: PAN-OS 7.1 and earlier releases: > clear uid-gids-cache uid <1-2147483647> > clear uid-gids-cache all PAN-OS 8.0 release: > clear uid-cache uid <1-2147483647> > clear uid-cache all
PAN-OS integrated User-ID agent CLI commands related to configuring the User-ID agent must now include host-port : PAN-OS 7.1 and earlier releases: # set user-id-agent <name> host <ip/netmask>|<value> # set user-id-agent <name> port <1-65535> # set user-id-agent <name> ntlm-auth <yes|no> # set user-id-agent <name> ldap-proxy <yes|no> # set user-id-agent <name> collectorname <value> # set user-id-agent <name> secret <value> PAN-OS 8.0 release: # set user-id-agent <name> host-port host <ip/netmask>|<value> # set user-id-agent <name> host-port port <1-65535> # set user-id-agent <name> host-port ntlm-auth <yes|no> # set user-id-agent <name> host-port ldap-proxy <yes|no> # set user-id-agent <name> host-port collectorname <value> # set user-id-agent <name> host-port secret <value>

Related Documentation