Skip to main content

Palo Alto Networks PAN-OS

The Palo Alto Networks adapter uses the PAN-OS XML API to terminate guest WiFi sessions. Unlike the RADIUS-based adapters (Fortinet, Cisco), this adapter communicates directly with the firewall's management interface over HTTPS.

Prerequisites

  • PAN-OS 9.0 or later.
  • An API key with permissions to manage User-ID mappings and terminate sessions.
  • HTTPS access from the Atrium Agent to the firewall's management interface (typically port 443).

Generating an API key

  1. Log in to the PAN-OS web interface.
  2. Navigate to Device → Administrators and create a dedicated service account for Atrium (or use an existing one with appropriate permissions).
  3. Generate an API key: 
    https://<firewall>/api/?type=keygen&user=<username>&password=<password>
  4. Copy the API key from the response.

The service account needs permissions for User-ID operations. Limit the account's role to the minimum required — it does not need full admin access.

Agent configuration

Configure the Palo Alto Networks adapter in the Agent's environment:

VariableValue
FIREWALL_ADAPTERpalo-alto
FIREWALL_HOSTIP or hostname of the PAN-OS management interface
FIREWALL_API_KEYThe API key generated above
FIREWALL_VERIFY_TLStrue (set to false only if using self-signed certificates)

How termination works

When a visit ends, the adapter:

  1. Queries the firewall for active sessions matching the visitor's IP address (obtained via RADIUS Accounting / session tracking).
  2. Sends a User-ID logout command to remove the IP-to-user mapping.
  3. Optionally sends a session termination command to disconnect the active session.

PAN-OS's User-ID integration is the mechanism used — removing the user mapping effectively de-authorizes the session. The exact behavior (immediate disconnect vs. gradual timeout) depends on your PAN-OS security policy configuration.

Troubleshooting

IssuePossible cause
API connection refusedFirewall management interface not reachable from Agent. Check network routing and firewall rules.
403 / Invalid credentialsAPI key is incorrect or the service account lacks User-ID permissions.
Session not terminatedThe visitor's IP mapping may not exist in PAN-OS (RADIUS Accounting not configured or IP tracking incomplete).
TLS errorsSelf-signed certificate on the firewall. Set FIREWALL_VERIFY_TLS=false or add the CA to the Agent's trust store.