Set up your python environment

  1. Install pan-python
  2. Clone or install pan-os-python
  3. Run a script

For example:

pip install pan-python
git clone https://github.com/PaloAltoNetworks/pan-os-python
cd panos/examples
python example.py -h

Replace example.py with the name of the script to run.

Example scripts


This script upgrades a Palo Alto Networks firewall or Panorama to the specified version. It takes care of all intermediate upgrades and reboots.


upgrade.py [-h] [-v] [-q] [-n] hostname username password version


Upgrade a firewall at to PAN-OS 7.0.0:

$ python upgrade.py admin password 7.0.0

Upgrade a Panorama at to the latest Panorama version:

$ python upgrade.py admin password latest

View the code in upgrade.py


Update User-ID by adding or removing a user-to-ip mapping on the firewall


userid.py [-h] [-v] [-q] hostname username password action user ip


Send a User-ID login event to a firewall at

$ python userid.py admin password login exampledomain/user1

Send a User-ID logout event to a firewall at

$ python userid.py admin password logout user2

View the code in userid.py


Tag/untag ip addresses for Dynamic Address Groups on a firewall


dyn_address_group.py [-h] [-v] [-q] [-u] [-c] hostname username password ip tags


Tag the IP with the tag ‘linux’ and ‘apache’:

$ python dyn_address_group.py -r linux,apache admin password

Remove the tag apache from the IP

$ python dyn_address_group.py -u linux admin password

Clear all tags from all IP’s in vsys2:

$ python dyn_address_group_vsys.py -s vsys2 -c admin password notused notused

View the code in dyn_address_group.py


Ensure that specified security rule is on the firewall.

Note: Please update the hostname / auth credentials variables before running.

This script prints all the security rules connected to the firewall, then checks to make sure that the desired rule is present. If it is there, then the script ends. If not, it is created, and then a commit is performed.

View the code in ensure_security_rule.py