Palo Alto Networks

AIOps for NGFW BPA API

A REST API for the AIOps Best Practice Assessment service that programmatically generates firewall configuration assessments against Palo Alto Networks best practice recommendations. The API supports generating BPA data, checking report status, and retrieving assessment reports in JSON format. Available for both free and premium AIOps for NGFW instances. Helps identify configuration gaps and security improvement opportunities.

GitHub OpenAPI

Documentation

📖
Documentation
https://pan.dev/aiops-ngfw-bpa/api/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-aiops-ngfw-bpa-api-openapi-original.yml

Examples

📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/aiops-ngfw-bpa-api-bpa-check-example.json
📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/aiops-ngfw-bpa-api-bpa-report-example.json
📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/aiops-ngfw-bpa-api-bpa-request-example.json
📝
Example
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/examples/aiops-ngfw-bpa-api-bpa-request-status-example.json

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/aiops-ngfw-bpa-api-bpa-check-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/aiops-ngfw-bpa-api-bpa-report-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/aiops-ngfw-bpa-api-bpa-request-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/aiops-ngfw-bpa-api-bpa-request-status-schema.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/aiops-ngfw-bpa-api-bpa-check-structure.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/aiops-ngfw-bpa-api-bpa-report-structure.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/aiops-ngfw-bpa-api-bpa-request-status-structure.json
📊
JSONStructure
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/aiops-ngfw-bpa-api-bpa-request-structure.json

Other Resources

🔗
JSONLD
https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-ld/palo-alto-aiops-ngfw-bpa-api-context.jsonld

OpenAPI Specification

palo-alto-aiops-ngfw-bpa-api-openapi-original.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Palo Alto Networks AIOps for NGFW BPA API
  description: >-
    AIOps for NGFW Best Practice Assessment (BPA) API. Provides programmatic
    access to submit BPA requests for Palo Alto Networks next-generation
    firewalls, check request processing status, and retrieve completed
    assessment reports. BPA reports analyze firewall configurations against
    Palo Alto Networks best practices and security benchmarks, identifying
    gaps and providing remediation guidance to improve security posture.
    Part of the Strata Cloud Manager platform.
  version: '1.0'
  contact:
    name: Palo Alto Networks Developer Support
    url: https://pan.dev/
  license:
    name: Proprietary
    url: https://www.paloaltonetworks.com/legal
servers:
- url: https://api.stratacloud.paloaltonetworks.com/aiops/bpa/v1
  description: AIOps for NGFW BPA API production server.
security:
- oauth2Bearer: []
tags:
- name: BPA Reports
  description: Completed assessment report retrieval.
- name: BPA Requests
  description: Best Practice Assessment request submission and status tracking.
paths:
  /requests:
    post:
      operationId: submitBPARequest
      summary: Palo Alto Networks Submit BPA Request
      description: >-
        Submits a Best Practice Assessment request for a specific NGFW
        device. The request requires the device serial number, PAN-OS
        version, and optional device information. The assessment runs
        asynchronously; use the returned request ID to check status and
        retrieve the report when complete.
      tags:
      - BPA Requests
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BPARequest'
            examples:
              SubmitBparequestRequestExample:
                summary: Default submitBPARequest request
                x-microcks-default: true
                value:
                  serial_number: 4B89BF130877
                  version: 9.6.8
                  device_info: &id001
                    hostname: host-f367
                    model: VM-300
                    deployment_type: vm
      responses:
        '201':
          description: BPA request submitted successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BPARequestStatus'
              examples:
                SubmitBparequest201Example:
                  summary: Default submitBPARequest 201 response
                  x-microcks-default: true
                  value:
                    request_id: f629a7fb-33c3-4361-a3f4-c438e2f4f747
                    serial_number: 94C0577F8429
                    status: processing
                    report_id: '336271'
                    error_message: example-error_message
                    submitted_at: '2025-11-24T06:05:16Z'
                    completed_at: '2024-08-27T07:28:12Z'
        '400':
          description: Invalid request body or unsupported PAN-OS version.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                SubmitBparequest400Example:
                  summary: Default submitBPARequest 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                SubmitBparequest401Example:
                  summary: Default submitBPARequest 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '403':
          description: Insufficient permissions or device not registered to this tenant.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                SubmitBparequest403Example:
                  summary: Default submitBPARequest 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '409':
          description: A BPA request is already in progress for this device.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                SubmitBparequest409Example:
                  summary: Default submitBPARequest 409 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                SubmitBparequest500Example:
                  summary: Default submitBPARequest 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /requests/{request_id}:
    get:
      operationId: getBPARequestStatus
      summary: Palo Alto Networks Check BPA Request Status
      description: >-
        Returns the current processing status of a submitted BPA request.
        When the status is completed, the response includes the report ID
        which can be used to retrieve the full assessment report. Request
        records are retained for 30 days after completion.
      tags:
      - BPA Requests
      parameters:
      - name: request_id
        in: path
        required: true
        description: Unique identifier of the BPA request.
        schema:
          type: string
        example: bd9572c6-1b76-43a0-aa1c-3157a63cc89d
      responses:
        '200':
          description: BPA request status returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BPARequestStatus'
              examples:
                GetBparequestStatus200Example:
                  summary: Default getBPARequestStatus 200 response
                  x-microcks-default: true
                  value:
                    request_id: f629a7fb-33c3-4361-a3f4-c438e2f4f747
                    serial_number: 94C0577F8429
                    status: processing
                    report_id: '336271'
                    error_message: example-error_message
                    submitted_at: '2025-11-24T06:05:16Z'
                    completed_at: '2024-08-27T07:28:12Z'
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBparequestStatus401Example:
                  summary: Default getBPARequestStatus 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBparequestStatus403Example:
                  summary: Default getBPARequestStatus 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '404':
          description: BPA request not found or expired.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBparequestStatus404Example:
                  summary: Default getBPARequestStatus 404 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBparequestStatus500Example:
                  summary: Default getBPARequestStatus 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /reports/{report_id}:
    get:
      operationId: getBPAReport
      summary: Palo Alto Networks Get BPA Report
      description: >-
        Returns the completed Best Practice Assessment report for a device.
        The report includes an overall score, category-level scores, pass
        and fail summaries, and a prioritized list of recommendations for
        improving the device's security posture against PAN-OS best practices.
      tags:
      - BPA Reports
      parameters:
      - name: report_id
        in: path
        required: true
        description: Unique identifier of the BPA report.
        schema:
          type: string
        example: '966889'
      responses:
        '200':
          description: BPA report returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BPAReport'
              examples:
                GetBpareport200Example:
                  summary: Default getBPAReport 200 response
                  x-microcks-default: true
                  value:
                    report_id: '250039'
                    request_id: 9512acfa-8bcf-4c16-b52c-b00b20d8bf8d
                    serial_number: D44EF27DA5D9
                    pan_os_version: 10.6.9
                    overall_score: 52.32
                    category_scores: &id002
                    - category: standard
                      score: 90.68
                      passed: 768
                      failed: 933
                      not_applicable: 433
                    total_checks: 185
                    passed_checks: 690
                    failed_checks: 850
                    generated_at: '2024-04-04T12:31:31Z'
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareport401Example:
                  summary: Default getBPAReport 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareport403Example:
                  summary: Default getBPAReport 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '404':
          description: Report not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareport404Example:
                  summary: Default getBPAReport 404 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareport500Example:
                  summary: Default getBPAReport 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /reports/{report_id}/checks:
    get:
      operationId: getBPAReportChecks
      summary: Palo Alto Networks Get BPA Report Check Details
      description: >-
        Returns the individual check results from a BPA report. Each check
        corresponds to a specific best practice recommendation and includes
        its pass/fail status, current configuration state, and remediation
        guidance. Supports filtering by category and status.
      tags:
      - BPA Reports
      parameters:
      - name: report_id
        in: path
        required: true
        description: Unique identifier of the BPA report.
        schema:
          type: string
        example: '101187'
      - name: category
        in: query
        description: Filter checks by best practice category.
        schema:
          type: string
          enum:
          - device_management
          - security_policies
          - nat_policies
          - decryption
          - threat_prevention
          - url_filtering
          - wildfire
          - dns_security
          - globalprotect
        example: globalprotect
      - name: status
        in: query
        description: Filter checks by result status.
        schema:
          type: string
          enum:
          - pass
          - fail
          - not_applicable
        example: pass
      - name: offset
        in: query
        description: Number of results to skip for pagination.
        schema:
          type: integer
          default: 0
        example: 0
      - name: limit
        in: query
        description: Maximum number of checks to return.
        schema:
          type: integer
          default: 50
          maximum: 200
        example: 50
      responses:
        '200':
          description: BPA report checks returned.
          content:
            application/json:
              schema:
                type: object
                properties:
                  total:
                    type: integer
                  offset:
                    type: integer
                  limit:
                    type: integer
                  items:
                    type: array
                    items:
                      $ref: '#/components/schemas/BPACheck'
              examples:
                GetBpareportChecks200Example:
                  summary: Default getBPAReportChecks 200 response
                  x-microcks-default: true
                  value:
                    total: 596
                    offset: 841
                    limit: 279
                    items:
                    - check_id: '147583'
                      category: standard
                      name: Branch Firewall 76
                      description: Malware investigation on policy blocked endpoint rule threat.
                      status: not_applicable
                      severity: high
                      current_value: example-current_value
                      recommended_value: example-recommended_value
                      remediation: example-remediation
                      references: &id003
                      - https://vpn.example.com/858ba3
                      - https://login.acme-systems.org/a6c881
        '400':
          description: Invalid query parameters.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareportChecks400Example:
                  summary: Default getBPAReportChecks 400 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '401':
          description: Invalid or missing Bearer token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareportChecks401Example:
                  summary: Default getBPAReportChecks 401 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '403':
          description: Insufficient permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareportChecks403Example:
                  summary: Default getBPAReportChecks 403 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '404':
          description: Report not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareportChecks404Example:
                  summary: Default getBPAReportChecks 404 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
              examples:
                GetBpareportChecks500Example:
                  summary: Default getBPAReportChecks 500 response
                  x-microcks-default: true
                  value:
                    error: example-error
                    message: Violation alert configured endpoint policy policy policy.
                    request_id: e0526af9-36bf-48c4-80c9-db1fb17c933f
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  securitySchemes:
    oauth2Bearer:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        OAuth 2.0 Bearer token for SASE platform authentication. Obtain
        using the client_credentials grant with your SASE service account
        client ID and client secret.
  schemas:
    BPARequest:
      type: object
      required:
      - serial_number
      - version
      properties:
        serial_number:
          type: string
          description: Device serial number of the NGFW to assess.
          example: 4B89BF130877
        version:
          type: string
          description: PAN-OS software version running on the device (e.g., 11.1.2).
          pattern: '^\d+\.\d+(\.\d+)?(-h\d+)?$'
          example: 9.6.8
        device_info:
          type: object
          description: Optional supplementary device information.
          properties:
            hostname:
              type: string
              description: Device hostname.
              example: host-d228
            model:
              type: string
              description: Device model (e.g., PA-5450, PA-440).
              example: VM-300
            deployment_type:
              type: string
              enum:
              - physical
              - vm
              - container
              description: Device deployment type.
              example: vm
          example: *id001
    BPARequestStatus:
      type: object
      properties:
        request_id:
          type: string
          description: Unique identifier of the BPA request.
          example: f629a7fb-33c3-4361-a3f4-c438e2f4f747
        serial_number:
          type: string
          description: Device serial number for which the assessment was submitted.
          example: 94C0577F8429
        status:
          type: string
          enum:
          - pending
          - processing
          - completed
          - failed
          description: Current processing status of the request.
          example: processing
        report_id:
          type: string
          description: >-
            Report identifier available when status is completed. Use with
            GET /reports/{report_id} to retrieve the full report.
          example: '336271'
        error_message:
          type: string
          description: Error description when status is failed.
          example: example-error_message
        submitted_at:
          type: string
          format: date-time
          description: Timestamp when the request was submitted.
          example: '2025-11-24T06:05:16Z'
        completed_at:
          type: string
          format: date-time
          description: Timestamp when processing completed.
          example: '2024-08-27T07:28:12Z'
    BPAReport:
      type: object
      properties:
        report_id:
          type: string
          description: Unique identifier of the report.
          example: '250039'
        request_id:
          type: string
          description: ID of the BPA request that generated this report.
          example: 9512acfa-8bcf-4c16-b52c-b00b20d8bf8d
        serial_number:
          type: string
          description: Device serial number assessed.
          example: D44EF27DA5D9
        pan_os_version:
          type: string
          description: PAN-OS version assessed.
          example: 10.6.9
        overall_score:
          type: number
          format: float
          description: Overall best practice compliance score from 0.0 to 100.0.
          minimum: 0.0
          maximum: 100.0
          example: 52.32
        category_scores:
          type: array
          description: Compliance scores broken down by best practice category.
          items:
            type: object
            properties:
              category:
                type: string
                description: Best practice category name.
                example: standard
              score:
                type: number
                format: float
                description: Category compliance score (0.0 to 100.0).
                example: 15.77
              passed:
                type: integer
                description: Number of checks that passed in this category.
                example: 249
              failed:
                type: integer
                description: Number of checks that failed in this category.
                example: 83
              not_applicable:
                type: integer
                description: Number of checks not applicable to this device.
                example: 429
          example: *id002
        total_checks:
          type: integer
          description: Total number of checks evaluated.
          example: 185
        passed_checks:
          type: integer
          description: Number of checks that passed.
          example: 690
        failed_checks:
          type: integer
          description: Number of checks that failed.
          example: 850
        generated_at:
          type: string
          format: date-time
          description: Timestamp when the report was generated.
          example: '2024-04-04T12:31:31Z'
    BPACheck:
      type: object
      properties:
        check_id:
          type: string
          description: Unique identifier of the check.
          example: '147583'
        category:
          type: string
          description: Best practice category this check belongs to.
          example: standard
        name:
          type: string
          description: Name of the best practice check.
          example: Branch Firewall 76
        description:
          type: string
          description: Description of what this check evaluates.
          example: Malware investigation on policy blocked endpoint rule threat.
        status:
          type: string
          enum:
          - pass
          - fail
          - not_applicable
          description: Result status of this check.
          example: not_applicable
        severity:
          type: string
          enum:
          - informational
          - low
          - medium
          - high
          - critical
          description: Severity if this check fails.
          example: high
        current_value:
          type: string
          description: Current configuration value found on the device.
          example: example-current_value
        recommended_value:
          type: string
          description: Recommended configuration value per best practices.
          example: example-recommended_value
        remediation:
          type: string
          description: Step-by-step remediation guidance for failed checks.
          example: example-remediation
        references:
          type: array
          items:
            type: string
            format: uri
          description: Reference URLs with additional guidance.
          example: *id003
    ErrorResponse:
      type: object
      properties:
        error:
          type: string
          description: Error code identifying the error type.
          example: example-error
        message:
          type: string
          description: Human-readable description of the error.
          example: Violation alert configured endpoint policy policy policy.
        request_id:
          type: string
          description: Request identifier for support correlation.
          example: e0526af9-36bf-48c4-80c9-db1fb17c933f