Activating and Deactivating Auth Codes for PAN-OS via API
One the benefits of Palo Alto Networks' VM-Series is that licences can be moved between deployment scenarios; from private cloud to public cloud, between different public cloud providers, and many other scenarios. The process for this requires activation and deactivation of licences. This article describes the steps to activate and deactivate licence auth codes using the PAN-OS API. This is useful for programmatically provisioning VM-Series via scripting or automation toolsets. Details are correct as of PAN-OS 8.1.3, and whilst the examples shown are for a VM-Series running in Microsoft Azure, they should be generally applicable to other deployment scenarios.
Note: replace all {{variables}} with your own values.
In the Customer Support Portal we have an auth code for VM-300 with no VM-Series provisioned:
Screen-Shot-2018-08-03-at-10.44.37-1
The VM-Series virtual appliance is currently unlicensed:
Screen-Shot-2018-08-03-at-10.49.36-1
The VM-Series therefore also has no serial number:
Screen-Shot-2018-08-03-at-10.49.26-1
The following API call installs the auth code on the VM-Series:
https://{{vm-series-hostname-or-ip}}/api/?type=op&cmd=<request><license><install>license-authcode</install></license></request>&key={{vm-series-api-key}}
The expected response is:
VM Device License installed. Restarting pan services.
Screen-Shot-2018-08-03-at-11.00.11-1
Following the activation, the Customer Support Portal should show a VM-Series has been provisioned:
Screen-Shot-2018-08-03-at-11.02.31
The VM-Series is now licensed:
Screen-Shot-2018-08-03-at-11.03.53
The VM-Series also now has a serial number:
Screen-Shot-2018-08-03-at-11.03.46
The VM-Series is now ready for use.
To decommission the VM-Series and release the licence, a licence deactivation API key is required. This can be obtained from the Customer Support Portal, go to Assets->Licensing API:
Screen-Shot-2018-08-03-at-11.11.28
The following API call installs the licence deactivation API key on the VM-Series:
https://{{vm-series-hostname-or-ip}}/api/?type=op&cmd=<request><license><api-key><set><key>license-deactivation-api-key</key></set></api-key></license></request>&key={{vm-series-api-key}}
The expected response is:
API Key is successfully set
Screen-Shot-2018-08-03-at-11.10.28
The next API call deactivates the VM-Series licenses:
https://{{vm-series-hostname-or-ip}}/api/?type=op&cmd=<request><license><deactivate><VM-Capacity><mode>auto</mode></VM-Capacity></deactivate></license></request>&key={{vm-series-api-key}}
The expected response is:
serial-number Success
serial-number Success
serial-number Success
serial-number Success
serial-number Success
Successfully deactivated old keys.
Screen-Shot-2018-08-03-at-11.13.04
Note that the number of lines within the response showing successful licence deactivation will depend on the number of feature licences activated on the VM-Series.
The VM-Series is not successfully deactivated. The Customer Support Portal will also update to show a VM-Series has be de-provisioned:
Screen-Shot-2018-08-03-at-11.15.00
--- home --- twitter --- linkedin ---