Palo Alto Firewall Keywords

The following keywords are supported in Palo Alto audits:




This must always be set to AUDIT_XML or AUDIT_REPORTS.


This keyword provides the ability to add a brief description of the check that is being performed. It is strongly recommended that the description field be unique and no distinct checks have the same description field. Tenable uses this field to automatically generate a unique plugin ID number based on the description field.


This keyword allows users to add a more detailed description to the check that is being performed. Multiple info fields are allowed with no preset limit. The info content should be enclosed in double-quotes.


This keyword describes the type of request. The Palo Alto API supports six types of requests: keygen, op, commit, reports, export, and config. For the purposes of this plugin, only request type op is exposed.


This keyword specifies the request to run on the firewall. The result of each request is cached, so subsequent requests do not result in another request. In addition, for AUDIT_REPORTS check, the default Tenable audit only includes 9 checks. To include more reports, users are encouraged to create new checks, and replace request keyword with the REST API URL after type=report. For example:



This keyword allows searching items that match a particular regex expression. If a check has regex keyword set, but no expect or not_expect keyword is set, then the check simply reports all lines matching the regex.

The compliance of a check can be determined by comparing the output of the check to either expect or not_expect keyword. There cannot be more than one compliance testing tag (i.e., either expect or not_expect can exist but not expect and not_expect).




This keyword allows auditing the config item matched by the regex keyword or if the regex keyword is not used it looks for the expect string in the entire config. The check passes as long as the config line found by regex matches the expect string or in the case where regex is not set, it passes if the expect string is found in the config.


This keyword allows searching the configuration items that should not be in the configuration. It acts as the opposite of expect. The check passes as long as the config line found by regex does not match the not_expect string or if the regex keyword is not set, it passes as long as not_expect string is not found in the config.