Examples

Set up your python environment

  1. Install pan-python
  2. Clone or install pan-os-python
  3. Run a script

For example:

pip install pan-python
git clone https://github.com/PaloAltoNetworks/pan-os-python
cd panos/examples
python example.py -h

Replace example.py with the name of the script to run.

Example scripts

upgrade.py

This script upgrades a Palo Alto Networks firewall or Panorama to the specified version. It takes care of all intermediate upgrades and reboots.

Usage:

upgrade.py [-h] [-v] [-q] [-n] hostname username password version

Examples:

Upgrade a firewall at 10.0.0.1 to PAN-OS 7.0.0:

$ python upgrade.py 10.0.0.1 admin password 7.0.0

Upgrade a Panorama at 172.16.4.4 to the latest Panorama version:

$ python upgrade.py 172.16.4.4 admin password latest

View the code in upgrade.py

userid.py

Update User-ID by adding or removing a user-to-ip mapping on the firewall

Usage:

userid.py [-h] [-v] [-q] hostname username password action user ip

Examples:

Send a User-ID login event to a firewall at 10.0.0.1:

$ python userid.py 10.0.0.1 admin password login exampledomain/user1 4.4.4.4

Send a User-ID logout event to a firewall at 172.16.4.4:

$ python userid.py 172.16.4.4 admin password logout user2 5.1.2.2

View the code in userid.py

dyn_address_group.py

Tag/untag ip addresses for Dynamic Address Groups on a firewall

Usage:

dyn_address_group.py [-h] [-v] [-q] [-u] [-c] hostname username password ip tags

Examples:

Tag the IP 3.3.3.3 with the tag ‘linux’ and ‘apache’:

$ python dyn_address_group.py -r linux,apache 10.0.0.1 admin password 3.3.3.3

Remove the tag apache from the IP 3.3.3.3:

$ python dyn_address_group.py -u linux 10.0.0.1 admin password 3.3.3.3

Clear all tags from all IP’s in vsys2:

$ python dyn_address_group_vsys.py -s vsys2 -c 10.0.0.1 admin password notused notused

View the code in dyn_address_group.py

ensure_security_rule.py

Ensure that specified security rule is on the firewall.

Note: Please update the hostname / auth credentials variables before running.

This script prints all the security rules connected to the firewall, then checks to make sure that the desired rule is present. If it is there, then the script ends. If not, it is created, and then a commit is performed.

View the code in ensure_security_rule.py