Module: network

Inheritance diagram

Inheritance diagram of pandevice.network

Configuration tree diagram

digraph configtree { graph [rankdir=LR, fontsize=10, margin=0.001]; node [shape=box, fontsize=10, height=0.001, margin=0.1, ordering=out]; AggregateInterface [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.AggregateInterface" target="_top"]; Arp [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.Arp" target="_top"]; AggregateInterface -> Arp; IPv6Address [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.IPv6Address" target="_top"]; AggregateInterface -> IPv6Address; Layer2Subinterface [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.Layer2Subinterface" target="_top"]; AggregateInterface -> Layer2Subinterface; Layer3Subinterface [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.Layer3Subinterface" target="_top"]; AggregateInterface -> Layer3Subinterface; Bgp [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.Bgp" target="_top"]; BgpAuthProfile [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpAuthProfile" target="_top"]; Bgp -> BgpAuthProfile; BgpDampeningProfile [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpDampeningProfile" target="_top"]; Bgp -> BgpDampeningProfile; BgpPeerGroup [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPeerGroup" target="_top"]; Bgp -> BgpPeerGroup; BgpPolicyAggregationAddress [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPolicyAggregationAddress" target="_top"]; Bgp -> BgpPolicyAggregationAddress; BgpPolicyConditionalAdvertisement [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPolicyConditionalAdvertisement" target="_top"]; Bgp -> BgpPolicyConditionalAdvertisement; BgpPolicyExportRule [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPolicyExportRule" target="_top"]; Bgp -> BgpPolicyExportRule; BgpPolicyImportRule [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPolicyImportRule" target="_top"]; Bgp -> BgpPolicyImportRule; BgpRedistributionRule [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpRedistributionRule" target="_top"]; Bgp -> BgpRedistributionRule; BgpRoutingOptions [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpRoutingOptions" target="_top"]; Bgp -> BgpRoutingOptions; BgpPeer [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPeer" target="_top"]; BgpPeerGroup -> BgpPeer; BgpPolicyAdvertiseFilter [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPolicyAdvertiseFilter" target="_top"]; BgpPolicyAddressPrefix [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPolicyAddressPrefix" target="_top"]; BgpPolicyAdvertiseFilter -> BgpPolicyAddressPrefix; BgpPolicyAggregationAddress -> BgpPolicyAdvertiseFilter; BgpPolicySuppressFilter [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPolicySuppressFilter" target="_top"]; BgpPolicyAggregationAddress -> BgpPolicySuppressFilter; BgpPolicyConditionalAdvertisement -> BgpPolicyAdvertiseFilter; BgpPolicyNonExistFilter [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpPolicyNonExistFilter" target="_top"]; BgpPolicyConditionalAdvertisement -> BgpPolicyNonExistFilter; BgpPolicyExportRule -> BgpPolicyAddressPrefix; BgpPolicyImportRule -> BgpPolicyAddressPrefix; BgpPolicyNonExistFilter -> BgpPolicyAddressPrefix; BgpPolicySuppressFilter -> BgpPolicyAddressPrefix; BgpOutboundRouteFilter [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.BgpOutboundRouteFilter" target="_top"]; BgpRoutingOptions -> BgpOutboundRouteFilter; EthernetInterface [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.EthernetInterface" target="_top"]; EthernetInterface -> Arp; EthernetInterface -> IPv6Address; EthernetInterface -> Layer2Subinterface; EthernetInterface -> Layer3Subinterface; IpsecTunnel [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.IpsecTunnel" target="_top"]; IpsecTunnelIpv4ProxyId [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.IpsecTunnelIpv4ProxyId" target="_top"]; IpsecTunnel -> IpsecTunnelIpv4ProxyId; IpsecTunnelIpv6ProxyId [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.IpsecTunnelIpv6ProxyId" target="_top"]; IpsecTunnel -> IpsecTunnelIpv6ProxyId; Layer3Subinterface -> Arp; Layer3Subinterface -> IPv6Address; LoopbackInterface [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.LoopbackInterface" target="_top"]; LoopbackInterface -> IPv6Address; Ospf [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.Ospf" target="_top"]; OspfArea [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.OspfArea" target="_top"]; Ospf -> OspfArea; OspfAuthProfile [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.OspfAuthProfile" target="_top"]; Ospf -> OspfAuthProfile; OspfExportRules [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.OspfExportRules" target="_top"]; Ospf -> OspfExportRules; OspfAreaInterface [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.OspfAreaInterface" target="_top"]; OspfArea -> OspfAreaInterface; OspfNssaExternalRange [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.OspfNssaExternalRange" target="_top"]; OspfArea -> OspfNssaExternalRange; OspfRange [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.OspfRange" target="_top"]; OspfArea -> OspfRange; OspfNeighbor [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.OspfNeighbor" target="_top"]; OspfAreaInterface -> OspfNeighbor; OspfAuthProfileMd5 [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.OspfAuthProfileMd5" target="_top"]; OspfAuthProfile -> OspfAuthProfileMd5; TunnelInterface [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.TunnelInterface" target="_top"]; TunnelInterface -> IPv6Address; VirtualRouter [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.VirtualRouter" target="_top"]; VirtualRouter -> Bgp; VirtualRouter -> Ospf; RedistributionProfile [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.RedistributionProfile" target="_top"]; VirtualRouter -> RedistributionProfile; RedistributionProfileIPv6 [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.RedistributionProfileIPv6" target="_top"]; VirtualRouter -> RedistributionProfileIPv6; StaticRoute [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.StaticRoute" target="_top"]; VirtualRouter -> StaticRoute; StaticRouteV6 [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.StaticRouteV6" target="_top"]; VirtualRouter -> StaticRouteV6; Vlan [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.Vlan" target="_top"]; StaticMac [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.StaticMac" target="_top"]; Vlan -> StaticMac; VlanInterface [style=filled fillcolor=lightcyan URL="../module-network.html#pandevice.network.VlanInterface" target="_top"]; VlanInterface -> Arp; VlanInterface -> IPv6Address; }

Class Reference

Network module contains objects that exist in the ‘Network’ tab in the firewall GUI

class pandevice.network.AbstractSubinterface(name, tag, parent=None)[source]

When a subinterface is needed, but the layer is unknown

Kindof like a placeholder or reference for a Layer2Subinterface or Layer3Subinterface. This class gets a parent which is the ethernet or aggregate interface, but it should not be added to the parent interface with add().

Parameters:
  • name (str) – Name of the interface (eg. ethernet1/1.5)
  • tag (int) – Tag for the interface, aka vlan id
  • parent (Interface) – The base interface for this subinterface
delete()[source]

Deletes both Layer3 and Layer2 subinterfaces by name

This is necessary because an AbstractSubinterface’s mode is unknown.

get_layered_subinterface(mode, add=True)[source]

Instantiate a regular subinterface type from this AbstractSubinterface

Converts an abstract subinterface to a real subinterface by offering it a mode.

Parameters:
  • mode (str) – Mode of the subinterface (‘layer3’ or ‘layer2’)
  • add (bool) – Add the newly instantiated subinterface to the base interface object
Returns:

A pandevice.network.Layer3Subinterface or pandevice.network.Layer2Subinterface instance, depending on the mode argument

Return type:

Subinterface

nearest_pandevice()[source]

The PanDevice parent for this instance

Returns:Parent PanDevice instance (Firewall or Panorama)
Return type:PanDevice
set_name()[source]

Create a name appropriate for a subinterface if it isn’t already created

Example

If self.name is ‘ethernet1/1’ and self.tag is 5, this method will change the name to ‘ethernet1/1.5’.

set_virtual_router(virtual_router_name, refresh=False, update=False, running_config=False)[source]

Set the virtual router for this interface

Creates a reference to this interface in the specified virtual router and removes references to this interface from all other virtual routers. The virtual router will be created if it doesn’t exist.

Parameters:
  • virtual_router_name (str) – The name of the VirtualRouter or a pandevice.network.VirtualRouter instance
  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
  • update (bool) – Apply the changes to the device (Default: False)
  • running_config – If refresh is True, refresh from the running configuration (Default: False)
Returns:

The zone for this interface after the operation completes

Return type:

Zone

class pandevice.network.AggregateInterface(*args, **kwargs)[source]

Aggregate interface (eg. ‘ae1’)

Parameters:
  • name (str) – Name of interface (eg. ‘ae1’)
  • mode (str) –
    Mode of the interface:
    • layer3
    • layer2
    • virtual-wire
    • ha

    Not all modes apply to all interface types (Default: layer3)

  • ip (tuple) – Layer3: Interface IPv4 addresses
  • ipv6_enabled (bool) – Layer3: IPv6 Enabled (requires IPv6Address child object)
  • management_profile (ManagementProfile) – Layer3: Interface Management Profile
  • mtu (int) – Layer3: MTU for interface
  • adjust_tcp_mss (bool) – Layer3: Adjust TCP MSS
  • netflow_profile (NetflowProfile) – Netflow profile
  • lldp_enabled (bool) – Enable LLDP
  • lldp_profile (str) – Reference to an lldp profile
  • comment (str) – The interface’s comment
  • ipv4_mss_adjust (int) – Layer3: TCP MSS adjustment for ipv4
  • ipv6_mss_adjust (int) – Layer3: TCP MSS adjustment for ipv6
  • enable_dhcp (bool) – Enable DHCP on this interface
  • create_dhcp_default_route (bool) – Layer3: Create default route pointing to default gateway provided by server
  • dhcp_default_route_metric (int) – Layer3: Metric for the DHCP default route
  • lacp_enable (bool) – Enables LACP
  • lacp_passive_pre_negotiation (bool) – Enable LACP passive pre-negotiation, off by default
  • lacp_rate (str) – Set LACP transmission-rate to ‘fast’ or ‘slow’
  • lacp_mode (str) – Set LACP mode to ‘active’ or ‘passive’
class pandevice.network.Arp(*args, **kwargs)[source]

Static ARP Mapping

Can be added to various interfaces.

Parameters:
  • ip (str) – The IP address
  • hw_address (str) – The MAC address for the static ARP
  • interface (str) – The interface (when attached to VlanInterface only)
class pandevice.network.Bgp(*args, **kwargs)[source]

BGP Process

Parameters:
  • enable (bool) – Enable BGP (Default: True)
  • router_id (str) – Router ID in IP format (eg. 1.1.1.1)
  • reject_default_route (bool) – Reject default route
  • allow_redist_default_route (bool) – Allow redistribution in default route
  • install_route (bool) – Populate BGP learned route to global route table
  • ecmp_multi_as (bool) – Support multiple AS in ECMP
  • enforce_first_as (bool) – Enforce First AS for EBGP
  • local_as (int) – local AS number
  • global_bfd_profile (str) – BFD Profile
class pandevice.network.BgpAuthProfile(*args, **kwargs)[source]

BGP Authentication Profile

Parameters:
  • name (str) – Name of Auth Profile
  • secret (str) – shared secret for the TCP MD5 authentication.
class pandevice.network.BgpDampeningProfile(*args, **kwargs)[source]

BGP Dampening Profile

Parameters:
  • name (str) – Name of Dampening Profile
  • enable (bool) – Enable profile (Default: True)
  • cutoff (float) – Cutoff threshold value
  • reuse (float) – Reuse threshold value
  • max_hold_time (int) – Maximum of hold-down time (in seconds)
  • decay_half_life_reachable (int) – Decay half-life while reachable (in seconds)
  • decay_half_life_unreachable (int) – Decay half-life while unreachable (in seconds)
class pandevice.network.BgpOutboundRouteFilter(*args, **kwargs)[source]

BGP Outbound Route Filtering

NOTE: This functionality is not enabled yet in PanOS

Parameters:
  • enable (bool) – enable prefix-based outbound route filtering.
  • max_recieved_entries (int) – maximum of ORF prefixes to receive.
  • cisco_prefix_mode (bool) – ORF vendor-compatible mode
class pandevice.network.BgpPeer(*args, **kwargs)[source]

BGP Peer

Parameters:
  • name (str) – Name of BGP Peer
  • enable (bool) – Enable Peer (Default: True)
  • peer_as (str) – peer AS number
  • enable_mp_bgp (bool) – enable MP-BGP extentions
  • address_family_identifier (str) – peer address family type * ipv4 * ipv6
  • subsequent_address_unicast (bool) – select SAFI for this peer
  • subsequent_address_multicast (bool) – select SAFI for this peer
  • local_interface (str) – interface to accept BGP session
  • local_interface_ip (str) – specify exact IP address if interface has multiple addresses
  • peer_address_ip (str) – IP address of peer
  • connection_authentication (str) – BGP auth profile name
  • connection_keep_alive_interval (int) – keep-alive interval (in seconds)
  • connection_min_route_adv_interval (int) – Minimum Route Advertisement Interval (in seconds)
  • connection_multihop (int) – IP TTL value used for sending BGP packet. set to 0 means eBGP use 2, iBGP use 255
  • connection_open_delay_time (int) – open delay time (in seconds)
  • connection_hold_time (int) – hold time (in seconds)
  • connection_idle_hold_time (int) – idle hold time (in seconds)
  • connection_incoming_allow (bool) – allow incoming connections
  • connection_outgoing_allow (bool) – allow outgoing connections
  • connection_incoming_remote_port (int) – restrict remote port for incoming BGP connections
  • connection_outgoing_local_port (int) – use specific local port for outgoing BGP connections
  • enable_sender_side_loop_detection (bool) –
  • reflector_client (str) –
    • non-client
    • client
    • meshed-client
  • peering_type (str) –
    • unspecified
    • bilateral
  • aggregated_confed_as_path (#) – this peer understands aggregated confederation AS path
  • max_prefixes (int) – maximum of prefixes to receive from peer
  • max_orf_entries (#) – maximum of ORF entries accepted from peer
  • soft_reset_with_stored_info (#) – soft reset with stored info
  • bfd_profile (str) – BFD configuration * Inherit-vr-global-setting * None * Pre-existing BFD profile name * None
class pandevice.network.BgpPeerGroup(*args, **kwargs)[source]

BGP Peer Group

Parameters:
  • name (str) – Name of BGP Peer Group
  • enable (bool) – Enable Peer Group (Default: True)
  • aggregated_confed_as_path (bool) – the peers understand aggregated confederation AS path
  • soft_reset_with_stored_info (bool) – soft reset with stored info
  • type (str) – peer group type I(‘ebgp’)/I(‘ibgp’)/I(‘ebgp-confed’)/I(‘ibgp-confed’)
  • export_nexthop (str) – export locally resolved nexthop I(‘resolve’)/I(‘use-self’)
  • import_nexthop (str) – override nexthop with peer address I(‘original’)/I(‘use-peer’), only with ‘ebgp’
  • remove_private_as (bool) – remove private AS when exporting route, only with ‘ebgp’
class pandevice.network.BgpPolicyAddressPrefix(*args, **kwargs)[source]

BGP Policy Address Prefix with Exact

Parameters:
  • name (str) – address prefix
  • exact (str) – match exact prefix length
class pandevice.network.BgpPolicyAdvertiseFilter(*args, **kwargs)[source]

BGP Policy Advertise Filter

** Most of the arguments are derived from the BgpPolicyFilter class

Args:

class pandevice.network.BgpPolicyAggregationAddress(*args, **kwargs)[source]

BGP Policy Aggregation Address

Parameters:
  • name (str) – Sddress prefix
  • enable (bool) – Enable aggregation for this prefix
  • prefix (str) – Aggregating address prefix
  • summary (bool) – Summarize route
  • as_set (bool) – Generate AS-set attribute
  • attr_local_preference (int) – New local preference value
  • attr_med (int) – New MED value
  • attr_weight (int) – New weight value
  • attr_nexthop (str) – Nexthop address
  • attr_origin (str) – New route origin * igp * egp * incomplete
  • attr_as_path_limit (int) – Add AS path limit attribute if it does not exist
  • attr_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend
  • attr_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when attr_as_path_type is ‘prepend’ or ‘remove-and-prepend’
  • attr_community_type (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
  • attr_community_argument (str) – Argument to the attr community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL
  • attr_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
  • attr_extended_community_argument (str) – Argument to the attr extended community value if needed
class pandevice.network.BgpPolicyConditionalAdvertisement(*args, **kwargs)[source]

BGP Conditional Advertisement Policy

Parameters:
  • name (str) – Name of Conditional Advertisement Policy
  • enable (bool) – enable prefix-based outbound route filtering.
  • used_by (list) – peer-groups that use this rule.
class pandevice.network.BgpPolicyExportRule(*args, **kwargs)[source]

BGP Policy Export Rule

** Most of the arguments are derived from the BgpPolicyRule class
See the arguments listed there for the full list shared between the BgpPolicyImportRule and BgpPolicyExportRule classes

Args:

class pandevice.network.BgpPolicyFilter(*args, **kwargs)[source]

Base class for BGP Policy Match Filters

Do not instantiate this class, use one of:
  • BgpPolicyImportRule
  • BgpPolicyExportRule
Parameters:
  • name (str) – Name of filter
  • enable (bool) – Enable rule.
  • match_afi (str) – Address Family Identifier * ip * ipv6
  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
  • match_route_table (str) – Route table to match rule * unicast * multicast * both
  • match_nexthop (list) – Next-hop attributes
  • match_from_peer (list) – Filter by peer that sent this route
  • match_med (int) – Multi-Exit Discriminator
  • match_as_path_regex (str) – AS-path regular expression
  • match_community_regex (str) – Community AS-path regular expression
  • match_extended_community_regex (str) – Extended Community AS-path regular expression
class pandevice.network.BgpPolicyImportRule(*args, **kwargs)[source]

BGP Policy Import Rule

** Most of the arguments are derived from the BgpPolicyRule class
See the arguments listed there for the full list shared between the BgpPolicyImportRule and BgpPolicyExportRule classes
Parameters:
  • action_dampening (str) – Route flap dampening profile
  • action_weight (int) – New weight value
class pandevice.network.BgpPolicyNonExistFilter(*args, **kwargs)[source]

BGP Policy Non-Exist Filter

** Most of the arguments are derived from the BgpPolicyFilter class

Args:

class pandevice.network.BgpPolicyRule(*args, **kwargs)[source]

Base class for BGP Policy Import/Export Rules

Do not instantiate this class, use one of:
  • BgpPolicyImportRule
  • BgpPolicyExportRule
Parameters:
  • enable (bool) – Enable rule.
  • used_by (list) – Peer-groups that use this rule.
  • match_afi (str) – Address Family Identifier * ip * ipv6
  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
  • match_route_table (str) – Route table to match rule * unicast * multicast * both
  • match_nexthop (list) – Next-hop attributes
  • match_from_peer (list) – Filter by peer that sent this route
  • match_med (int) – Multi-Exit Discriminator
  • match_as_path_regex (str) – AS-path regular expression
  • match_community_regex (str) – AS-path regular expression
  • match_extended_community_regex (str) – AS-path regular expression
  • action_local_preference (int) – New local preference value
  • action_med (int) – New MED value
  • action_nexthop (str) – Nexthop address
  • action_origin (str) – New route origin * igp * egp * incomplete
  • action_as_path_limit (int) – Add AS path limit attribute if it does not exist
  • action_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend
  • action_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when action_as_path_type is ‘prepend’ or ‘remove-and-prepend’
  • action_community (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
  • action_community_argument (str) – Argument to the action community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL
  • action_extended_community (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
  • action_extended_community_argument (str) – Argument to the action extended community value if needed
class pandevice.network.BgpPolicySuppressFilter(*args, **kwargs)[source]

BGP Policy Suppress Filter

** Most of the arguments are derived from the BgpPolicyFilter class

Args:

class pandevice.network.BgpRedistributionRule(*args, **kwargs)[source]

BGP Policy Address Prefix with Exact

Parameters:
  • name (str) – Redistribution profile name
  • enable (bool) – Enable redistribution rule.
  • address_family_identifier (str) – Select redistribution profile type * ipv4 * ipv6
  • route_table (str) – Select destination SAFI for redistribution * unicast * multicast * both
  • set_origin (str) – Add the ORIGIN path attribute * igp * egp * incomplete
  • set_med (int) – Add the MULTI_EXIT_DISC path attribute
  • set_local_preference (int) – Add the LOCAL_PREF path attribute
  • set_as_path_limit (int) – Add the AS_PATHLIMIT path attribute
  • set_community (list) – Add the COMMUNITY path attribute
  • set_extended_community (list) – Add the EXTENDED COMMUNITY path attribute
  • metric (int) – Metric value
class pandevice.network.BgpRoutingOptions(*args, **kwargs)[source]

BGP Routing Options

Parameters:
  • as_format (str) – AS format (‘2-byte’/‘4-byte’)
  • always_compare_med (bool) – always compare MEDs
  • deterministic_med_comparison (bool) – deterministic MEDs comparison
  • default_local_preference (int) – default local preference
  • graceful_restart_enable (bool) – enable graceful restart
  • gr_stale_route_time (int) – time to remove stale routes after peer restart (in seconds)
  • gr_local_restart_time (int) – local restart time to advertise to peer (in seconds)
  • gr_max_peer_restart_time (int) – maximum of peer restart time accepted (in seconds)
  • reflector_cluster_id (str) – route reflector cluster ID
  • confederation_member_as (str) – 32-bit value in decimal or dot decimal AS.AS format
  • aggregate_med (bool) – aggregate route only if they have same MED attributes
class pandevice.network.EthernetInterface(*args, **kwargs)[source]

Ethernet interface (eg. ‘ethernet1/1’)

Parameters:
  • name (str) – Name of interface (eg. ‘ethernet1/1’)
  • mode (str) –
    Mode of the interface:
    • layer3
    • layer2
    • virtual-wire
    • tap
    • ha
    • decrypt-mirror
    • aggregate-group

    Not all modes apply to all interface types (Default: layer3)

  • ip (tuple) – Layer3: Interface IPv4 addresses
  • ipv6_enabled (bool) – Layer3: IPv6 Enabled (requires IPv6Address child object)
  • management_profile (ManagementProfile) – Layer3: Interface Management Profile
  • mtu (int) – Layer3: MTU for interface
  • adjust_tcp_mss (bool) – Layer3: Adjust TCP MSS
  • netflow_profile (NetflowProfile) – Netflow profile
  • lldp_enabled (bool) – Layer2: Enable LLDP
  • lldp_profile (str) – Layer2: Reference to an lldp profile
  • netflow_profile_l2 (NetflowProfile) – Netflow profile
  • link_speed (str) – Link speed: eg. auto, 10, 100, 1000
  • link_duplex (str) – Link duplex: eg. auto, full, half
  • link_state (str) – Link state: eg. auto, up, down
  • aggregate_group (str) – Aggregate interface (eg. ae1)
  • comment (str) – The interface’s comment
  • ipv4_mss_adjust (int) – (PAN-OS 7.1+) TCP MSS adjustment for ipv4
  • ipv6_mss_adjust (int) – (PAN-OS 7.1+) TCP MSS adjustment for ipv6
  • enable_dhcp (bool) – Enable DHCP on this interface
  • create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server
  • dhcp_default_route_metric (int) – Metric for the DHCP default route
  • enable_untagged_subinterface (bool) – (PAN-OS 7.1+) Enable untagged subinterface
  • decrypt_forward (bool) – (PAN-OS 8.1+) Decrypt forward.
  • rx_policing_rate (int) – (PAN-OS 8.1+) Receive policing rate
  • tx_policing_rate (int) – (PAN-OS 8.1+) Transmit policing rate
  • dhcp_send_hostname_enable (bool) – Enable send firewall or custom hostname to DHCP server
  • dhcp_send_hostname_value (string) – Set interface hostname
class pandevice.network.GreTunnel(*args, **kwargs)[source]

GRE Tunnel configuration.

Note: This is valid for PAN-OS 9.0+

Parameters:
  • name – GRE tunnel name.
  • interface – Interface to terminate tunnel.
  • local_address_type – Type of local address. Can be “ip” (default) or “floating-ip”.
  • local_address_value – IP address value.
  • peer_address – Peer IP address.
  • tunnel_interface – To apply GRE tunnels to tunnel interface.
  • ttl (int) – TTL.
  • copy_tos (bool) – Copy IP TOS bits from inner packet to GRE packet.
  • enable_keep_alive (bool) – Enable tunnel monitoring.
  • keep_alive_interval (int) – Interval.
  • keep_alive_retry (int) – Retry.
  • keep_alive_hold_timer (int) – Hold timer.
  • disabled (bool) – Disable the GRE tunnel.
class pandevice.network.IPv6Address(*args, **kwargs)[source]

IPv6 Address

Can be added to any pandevice.network.Interface subclass that supports IPv6.

Parameters:
  • enabled-on-interface (bool) – Enabled IPv6 on the interface this object was added to
  • prefix (bool) – Use interface ID as host portion
  • anycast (bool) – Enable anycast
  • advertise_enabled (bool) – Enabled router advertisements
  • valid_lifetime (int) – Valid lifetime
  • onlink_flag (bool) –
  • auto_config_flag (bool) –
class pandevice.network.IkeCryptoProfile(*args, **kwargs)[source]

IKE SA proposal.

Parameters:
  • name – IKE crypto profile name
  • dh_group (string/list) – phase-1 DH group: group1, group2, group5, group14, group19 (7.0+), or group20 (7.0+).
  • authentication (string/list) – hashing algorithm: md5, sha1, sha256, sha384, or sha512.
  • encryption (string/list) – encryption algorithm: des (7.1+), 3des, aes128 / aes-128-cbc, aes192 / aes-192-cbc, or aes256 / aes-256-cbc. If you need to be able to work with older than 7.0 firewalls, then use set_encryption().
  • lifetime_seconds (int) – IKE SA lifetime in seconds
  • lifetime_minutes (int) – IKE SA lifetime in minutes
  • lifetime_hours (int) – IKE SA lifetime in hours
  • lifetime_days (int) – IKE SA lifetime in days
  • authentication_multiple (int) – (7.0+) IKEv2 SA reauthentication interval equals authentication_multiple * lifetime; 0 means reauthentication is disabled.
set_encryption(value)[source]

Version agnostic set for encryption.

This object should be connected to a pandevice.Firewall before invocation.

Valid values include the following:
  • des (7.1+)
  • 3des
  • aes128
  • aes-128-cbc
  • aes192
  • aes-192-cbc
  • aes256
  • aes-256-cbc
Raises:
  • PanDeviceNotSet – if there is no Firewall in the object tree
  • ValueError – if value is not one of the above, or you attempt to configure 3des with this object connected to a PANOS 7.0 or earlier firewall.
class pandevice.network.IkeGateway(*args, **kwargs)[source]

IKE Gateway.

Parameters:
  • name – IKE gateway name
  • version – (7.0+) ikev1, ikev2, or ikev2-prefered (default: ikev1)
  • enable_ipv6 (bool) – (7.0+) enable IPv6
  • disabled (bool) – (7.0+) disable this object
  • peer_ip_type – ip or dynamic (default: ip)
  • peer_ip_value – the IP for peer_ip_type of ‘ip’
  • interface – local gateway end-point
  • local_ip_address_type – ip or floating-ip
  • local_ip_address – IP address if interface has multiple addresses
  • auth_type – pre-shared-key or certificate (default: pre-shared-key)
  • pre_shared_key – The string used as pre-shared key
  • local_id_type – ipaddr, fqdn, ufqdn, keyid, or dn
  • local_id_value – The value for local_id_type
  • peer_id_type – ipaddr, fqdn, ufqdn, keyid, or dn
  • peer_id_value – The value for peer_id_type
  • peer_id_check – exact or wildcard (default: exact)
  • local_cert – Local certificate name
  • cert_enable_hash_and_url (bool) – (7.0+) Use hash-and-url for local certificate.
  • cert_base_url – (7.0+) The host and directory part of URL for local certificates (http only).
  • cert_use_management_as_source (bool) – (7.0+) Use management interface IP as source to retrieve http certificates
  • cert_permit_payload_mismatch (bool) – Permit peer identification and certificate payload identification mismatch.
  • cert_profile – Local certificate name
  • cert_enable_strict_validation (bool) – Enable strict valication of peer’s extended key use
  • enable_passive_mode (bool) – Enable passive mode (responder only)
  • enable_nat_traversal (bool) – Enable NAT traversal
  • nat_traversal_keep_alive (int) – sending interval for NAT keep-alive packets (in seconds)
  • nat_traversal_enable_udp_checksum (bool) – enable UDP checksum
  • enable_fragmentation (bool) – Enable IKE fragmentation
  • ikev1_exchange_mode – auto, main, or aggressive
  • ikev1_crypto_profile – IKE SA crypto oprofile name
  • enable_dead_peer_detection (bool) – enable Dead-Peer-Detection
  • dead_peer_detection_interval (int) – sending interval for probing packets (in seconds)
  • dead_peer_detection_retry (int) – number of retries before disconnection
  • ikev1_send_commit_bit (bool) – Send commit bit
  • ikev1_initial_contact (bool) – send initial contact
  • ikev2_crypto_profile – (7.0+) IKE SE crypto profile name
  • ikev2_cookie_valication (bool) – (7.0+) require cookie
  • ikev2_send_peer_id (bool) – (7.0+) send peer ID
  • enable_liveness_check (bool) – (7.0+) enable sending empty information liveness check message
  • liveness_check_interval (int) – (7.0+) delay interval before sending probing packets (in seconds)
class pandevice.network.Interface(*args, **kwargs)[source]

Base class for all interfaces

Do not instantiate this object. Use a subclass. Methods in this class are available to all interface subclasses.

Parameters:
  • name (str) – Name of the interface
  • state (str) – Link state, ‘up’ or ‘down’
full_delete(refresh=False, delete_referencing_objects=False, include_vsys=False)[source]

Delete the interface and all references to the interface

Often when deleting an interface there is an API error because there are still references to the interface from zones, virtual-router, vsys, etc. This method deletes all references to the interface before deleting the interface itself.

Parameters:
  • refresh (bool) – Refresh the current state of the device before taking action
  • delete_referencing_objects (bool) – Delete the entire object that references this interface
get_counters()[source]

Pull the counters for an interface

Returns:
counter name as key, counter as value, None if interface is
not configured
Return type:dict
refresh_state()[source]

Pull the state of the interface from the firewall

The attribute ‘state’ is populated with the current state from the firewall.

Returns:The current state from the firewall
Return type:str
set_virtual_router(virtual_router_name, refresh=False, update=False, running_config=False, return_type='object')[source]

Set the virtual router for this interface

Creates a reference to this interface in the specified virtual router and removes references to this interface from all other virtual routers. The virtual router will be created if it doesn’t exist.

Parameters:
  • virtual_router_name (str) – The name of the VirtualRouter or a pandevice.network.VirtualRouter instance
  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
  • update (bool) – Apply the changes to the device (Default: False)
  • running_config – If refresh is True, refresh from the running configuration (Default: False)
  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the VirtualRouter in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).
Returns:

The zone for this interface after the operation completes

Return type:

Zone

set_vlan(vlan_name, refresh=False, update=False, running_config=False, return_type='object')[source]

Set the vlan for this interface

Creates a reference to this interface in the specified vlan and removes references to this interface from all other interfaces. The vlan will be created if it doesn’t exist.

Parameters:
  • vlan_name (str) – The name of the vlan or a pandevice.network.Vlan instance
  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
  • update (bool) – Apply the changes to the device (Default: False)
  • running_config – If refresh is True, refresh from the running configuration (Default: False)
  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Vlan in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).
Raises:

AttributeError – if this class is not allowed to use this function.

Returns:

The VLAN for this interface after the operation completes

Return type:

Vlan

set_zone(zone_name, mode=None, refresh=False, update=False, running_config=False, return_type='object')[source]

Set the zone for this interface

Creates a reference to this interface in the specified zone and removes references to this interface from all other zones. The zone will be created if it doesn’t exist.

Parameters:
  • zone_name (str) – The name of the Zone or a pandevice.network.Zone instance
  • mode (str) – The mode of the zone. See pandevice.network.Zone for possible values
  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
  • update (bool) – Apply the changes to the device (Default: False)
  • running_config – If refresh is True, refresh from the running configuration (Default: False)
  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Zone in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).
Returns:

The zone for this interface after the operation completes

Return type:

Zone

up()[source]

Link state of interface

Returns:
True if state is ‘up’, False if state is ‘down’,
’unconfigured’ or other
Return type:bool
class pandevice.network.IpsecCryptoProfile(*args, **kwargs)[source]

IPSec SA proposals.

Parameters:
  • name – IPSec crypto profile name
  • esp_encryption (string/list) – des, 3des, null, aes128 / aes-128-cbc, aes192 / aes-192-cbc, aes256 / aes-256-cbc, aes-128-gcm (7.0+), or aes-256-gcm (7.0+). If you need to write a script that works older than 7.0 firewalls, then please use set_esp_encryption().
  • esp_authentication (string/list) – none, md5, sha1, sha256, sha384, or sha512
  • ah_authentication (string/list) – md5, sha1, sha256, sha384, or sha512
  • dh_group – no-pfs, group1, group2, group5, group14, group19, or group20
  • lifetime_seconds (int) – IPSec SA lifetime in seconds
  • lifetime_minutes (int) – IPSec SA lifetime in minutes
  • lifetime_hours (int) – IPSec SA lifetime in hours
  • lifetime_days (int) – IPSec SA lifetime in days
  • lifesize_kb (int) – IPSec SA lifesize in kilobytes (KB)
  • lifesize_mb (int) – IPSec SA lifesize in megabytes (MB)
  • lifesize_gb (int) – IPSec SA lifesize in gigabytes (GB)
  • lifesize_tb (int) – IPSec SA lifesize in terabytes (TB)
set_esp_encryption(value)[source]

Version agnostic set for esp_encryption.

This object should be connected to a pandevice.Firewall before invocation.

Valid values include the following:
  • des
  • 3des
  • aes128
  • aes-128-cbc
  • aes192
  • aes-192-cbc
  • aes256
  • aes-256-cbc
  • aes-128-gcm (7.0+)
  • aes-256-gcm (7.0+)
  • null
Parameters:

value (string/list) – values to put in esp_encryption

Raises:
  • PanDeviceNotSet – if there is no Firewall in the object tree
  • ValueError – if value is not one of the above, or you attempt to configure aes-128-gcm or aes-256-gcm with this object connected to a PANOS 6.1 firewall.
class pandevice.network.IpsecTunnel(*args, **kwargs)[source]

IPSec Tunnel

A large number of params have prefixes:
  • ak: Auto Key
  • mk: Manual Key
  • gps: GlobalProtect Satellite

Only attach IpsecTunnelIpv4ProxyId or IpsecTunnelIpv4ProxyId objects to this one if you are using type=’auto-key’.

Parameters:
  • name – IPSec tunnel name
  • tunnel_interface – apply IPSec VPN tunnels to tunnel interface
  • anti_replay (bool) – enable anti-replay check on this tunnel
  • ipv6 (bool) – (7.0+) use IPv6 for the IPSec tunnel
  • type – auto-key (default), manual-key, or global-protect-satellite
  • ak_ike_gateway (string/list) – IKE gateway name
  • ak_ipsec_crypto_profile – IPSec crypto profile name
  • mk_local_spi – outbound SPI in hex
  • mk_interface – interface to terminate tunnel
  • mk_remote_spi – inbound SPI in hex
  • mk_remote_address – tunnel peer IP address
  • mk_local_address_ip – exact IP address if interface has multiple IP addresses
  • mk_local_address_floating_ip – floating IP address in HA Active-Active configuration
  • mk_protocol – esp or ah
  • mk_auth_type – md5, sha1, sha256, sha384, or sha512
  • mk_auth_key – the key for the given mk_auth_type
  • mk_esp_encryption – des, 3des, aes128 / aes-128-cbc, aes192 / aes-192-cbc, aes256 / aes-256-cbc, or null. The various “aes” options changed in version 7.0 onward. If you need to make a script that is compatible with 6.1 PANOS, then use “set_mk_esp_encryption()”. Passing it either “aes128” or “aes-128-cbc” will have it set the appropriate string for the given version.
  • mk_esp_encryption_key – The ESP encryption key for mk_esp_encryption type
  • gps_portal_address – GlobalProtect portal address
  • gps_prefer_ipv6 (bool) – (8.0+) perfer to register portal in IPv6
  • gps_interface – interface to communicate with portal
  • gps_interface_ipv4_ip – exact IPv4 IP address if interface has multiple IP addresses
  • gps_interface_ipv6_ip – (8.0+) exact IPv6 IP address if interface has multiple IP addresses
  • gps_interface_ipv4_floating_ip – (7.0+) floating IPv4 IP address in HA Active-Active configuration
  • gps_interface_ipv6_floating_ip – (8.0+) floating IPv6 IP address in HA Active-Active configuration
  • gps_publish_connected_routes (bool) – enable publishing of connected and static routes
  • gps_publish_routes (str/list) – specify list of routes to publish to GlobalProtect gateway
  • gps_local_certificate – GlobalProtect satellite certificate file name
  • gps_certificate_profile – profile for authenticating GlobalProtect gateway certificates
  • anti_replay – enable anti-replay check on this tunnel
  • copy_tos (bool) – copy IP TOS bits from inner packet to IPSec packet (not recommended)
  • copy_flow_label (bool) – (7.0+) copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended)
  • enable_tunnel_monitor (bool) – enable tunnel monitoring on this tunnel
  • tunnel_monitor_dest_ip – destination IP to send ICMP probe
  • tunnel_monitor_proxy_id – (7.0+) which proxy-id (or proxy-id-v6) the monitoring traffic will use
  • tunnel_monitor_profile – monitoring action
  • disabled (bool) – (7.0+) disable the IPSec tunnel
set_mk_esp_encryption(value)[source]

Version agnostic set for mk_esp_encryption.

This object should be connected to a pandevice.Firewall before invocation.

Valid values include the following:
  • des
  • 3des
  • aes128
  • aes-128-cbc
  • aes192
  • aes-192-cbc
  • aes256
  • aes-256-cbc
  • null
Raises:
  • PanDeviceNotSet – if there is no Firewall in the object tree
  • ValueError – if value is not one of the above
class pandevice.network.IpsecTunnelIpv4ProxyId(*args, **kwargs)[source]

IKEv1 proxy-id for auto-key IPSec tunnels.

Parameters:
  • name – The proxy ID
  • local – IP subnet or IP address represents local network
  • remote – IP subnet or IP address represents remote network
  • any_protocol (bool) – Any protocol
  • number_proto (int) – Numbered Protocol: protocol number (1-254)
  • tcp_local_port (int) – Protocol TCP: local port
  • tcp_remote_port (int) – Protocol TCP: remote port
  • udp_local_port (int) – Protocol UDP: local port
  • udp_remote_port (int) – Protocol UDP: remote port
class pandevice.network.IpsecTunnelIpv6ProxyId(*args, **kwargs)[source]

IKEv1 IPv6 proxy-id for auto-key IPSec tunnels.

NOTE: Only supported in 7.0 and forward.

Parameters:
  • name – The proxy ID
  • local – IP subnet or IP address represents local network
  • remote – IP subnet or IP address represents remote network
  • any_proto (bool) – Any protocol
  • number_proto (int) – Numbered Protocol: protocol number (1-254)
  • tcp_local_port (int) – Protocol TCP: local port
  • tcp_remote_port (int) – Protocol TCP: remote port
  • udp_local_port (int) – Protocol UDP: local port
  • udp_remote_port (int) – Protocol UDP: remote port
class pandevice.network.Layer2Subinterface(*args, **kwargs)[source]

Ethernet or Aggregate Subinterface in Layer 2 mode.

Parameters:
  • tag (int) – Tag for the interface, aka vlan id
  • lldp_enabled (bool) – Enable LLDP
  • lldp_profile (str) – Reference to an lldp profile
  • netflow_profile_l2 (NetflowProfile) – Reference to a netflow profile
  • comment (str) – The interface’s comment
class pandevice.network.Layer3Subinterface(*args, **kwargs)[source]

Ethernet or Aggregate Subinterface in Layer 3 mode.

Parameters:
  • tag (int) – Tag for the interface, aka vlan id
  • ip (tuple) – Interface IPv4 addresses
  • ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)
  • management_profile (ManagementProfile) – Interface Management Profile
  • mtu (int) – MTU for interface
  • adjust_tcp_mss (bool) – Adjust TCP MSS
  • netflow_profile (NetflowProfile) – Netflow profile
  • comment (str) – The interface’s comment
  • ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4
  • ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6
  • enable_dhcp (bool) – Enable DHCP on this interface
  • create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server
  • dhcp_default_route_metric (int) – Metric for the DHCP default route
  • decrypt_forward (bool) – (PAN-OS 8.1+) Decrypt forward.
class pandevice.network.LoopbackInterface(*args, **kwargs)[source]

Loopback interface

Parameters:
  • ip (tuple) – Interface IPv4 addresses
  • ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)
  • management_profile (ManagementProfile) – Interface Management Profile
  • mtu (int) – MTU for interface
  • adjust_tcp_mss (bool) – Adjust TCP MSS
  • netflow_profile (NetflowProfile) – Netflow profile
  • comment (str) – The interface’s comment
  • ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4
  • ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6
class pandevice.network.ManagementProfile(*args, **kwargs)[source]

Interface management provile.

Add to any of the following interfaces:

  • Layer3Subinterface
  • EthernetInterface
  • AggregateInterface
  • VlanInterface
  • LoopbackInterface
  • TunnelInterface
Parameters:
  • ping (bool) – Enable ping
  • telnet (bool) – Enable telnet
  • ssh (bool) – Enable ssh
  • http (bool) – Enable http
  • http_ocsp (bool) – Enable http-ocsp
  • https (bool) – Enable https
  • snmp (bool) – Enable snmp
  • response_pages (bool) – Enable response pages
  • userid_service (bool) – Enable userid service
  • userid_syslog_listener_ssl (bool) – Enable userid syslog listener ssl
  • userid_syslog_listener_udp (bool) – Enable userid syslog listener udp
  • permitted_ip (list) – The list of permitted IP addresses
class pandevice.network.Ospf(*args, **kwargs)[source]

OSPF Process

Parameters:
  • enable (bool) – Enable OSPF (Default: True)
  • router_id (str) – Router ID in IP format (eg. 1.1.1.1)
  • reject_default_route (bool) – Reject default route
  • allow_redist_default_route (bool) – Allow redistribution in default route
  • rfc1583 (bool) – rfc1583
  • spf_calculation_delay (int) – SPF calculation delay
  • lsa_interval (int) – LSA interval
  • graceful_restart_enable (bool) – Enable OSPF graceful restart
  • gr_grace_period (int) – Graceful restart period
  • gr_helper_enable (bool) – Graceful restart helper enable
  • gr_strict_lsa_checking (bool) – Graceful restart strict lsa checking
  • gr_max_neighbor_restart_time (int) – Graceful restart neighbor restart time
class pandevice.network.OspfArea(*args, **kwargs)[source]

OSPF Area

Parameters:
  • name (str) – Area in IP format
  • type (str) – Type of area, ‘normal’, ‘stub’, or ‘nssa’ (Default: normal)
  • accept_summary (bool) – Accept summary route - stub and nssa only
  • default_route_advertise (str) – ‘disable’ or ‘advertise’ (Default: disable) - stub and nssa only
  • default_route_advertise_metric (int) – Default route metric - stub and nssa only
  • default_route_advertise_type (str) – ‘ext-1’ or ‘ext2’ (Default: ext-2 - nssa only
class pandevice.network.OspfAreaInterface(*args, **kwargs)[source]

OSPF Area Interface

Parameters:
  • name (str) – Name of the interface (interface must exist)
  • enable (bool) – OSPF enabled on this interface
  • passive (bool) – Passive mode
  • link_type (str) – Link type, ‘broadcast’, ‘p2p’, or ‘p2mp’ (Default: broadcast)
  • metric (int) – Metric
  • priority (int) – Priority id
  • hello_interval (int) – Hello interval
  • dead_counts (int) – Dead counts
  • retransmit_interval (int) – Retransmit interval
  • transit_delay (int) – Transit delay
  • gr_delay (int) – Graceful restart delay
  • authentication (str) – Reference to a pandevice.network.OspfAuthProfile
class pandevice.network.OspfAuthProfile(*args, **kwargs)[source]

OSPF Authentication Profile

Parameters:
  • name (str) – Name of Auth Profile
  • type (str) – ‘password’ or ‘md5’
  • password (str) – The password if type is set to ‘password’. If type is set to ‘md5’, add a pandevice.network.OspfAuthProfileMd5
class pandevice.network.OspfAuthProfileMd5(*args, **kwargs)[source]

OSPF Authentication Profile

Parameters:
  • keyid (int) – Identifier for key
  • key (str) – The authentication key
  • preferred (bool) – This key is preferred
class pandevice.network.OspfExportRules(*args, **kwargs)[source]

OSPF Export Rules

Parameters:
  • name (str) – IP subnet or pandevice.network.RedistributionProfile
  • new_path_type (str) – New path type, ‘ext-1’ or ‘ext-2’ (Default: ext-2)
  • new_tag (str) – New tag (int or IP format)
  • metric (int) – Metric
class pandevice.network.OspfNeighbor(*args, **kwargs)[source]

OSPF Neighbor

Parameters:
  • name (str) – IP of neighbor
  • metric (int) – Metric
class pandevice.network.OspfNssaExternalRange(*args, **kwargs)[source]

OSPF NSSA External Range

Parameters:
  • name (str) – IP network with prefix
  • mode (str) – ‘advertise’ or ‘suppress’ (Default: advertise)
class pandevice.network.OspfRange(*args, **kwargs)[source]

OSPF Range

Parameters:
  • name (str) – IP network with prefix
  • mode (str) – ‘advertise’ or ‘suppress’ (Default: advertise)
class pandevice.network.PhysicalInterface(*args, **kwargs)[source]

Absract base class for Ethernet and Aggregate Interfaces

Do not instantiate this object. Use a subclass.

set_zone(zone_name, mode=None, refresh=False, update=False, running_config=False, return_type='object')[source]

Set the zone for this interface

Creates a reference to this interface in the specified zone and removes references to this interface from all other zones. The zone will be created if it doesn’t exist.

Parameters:
  • zone_name (str) – The name of the Zone or a pandevice.network.Zone instance
  • mode (str) – The mode of the zone. See pandevice.network.Zone for possible values
  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
  • update (bool) – Apply the changes to the device (Default: False)
  • running_config – If refresh is True, refresh from the running configuration (Default: False)
  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Zone in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).
Returns:

The zone for this interface after the operation completes

Return type:

Zone

class pandevice.network.RedistributionProfile(*args, **kwargs)[source]

Redistribution Profile

Parameters:
  • name (str) – Name of profile
  • priority (int) – Priority id
  • action (str) – ‘no-redist’ or ‘redist’
  • filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’
  • filter_interface (tuple) – Filter interface
  • filter_destination (tuple) – Filter destination
  • filter_nexthop (tuple) – Filter nexthop
  • ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2
  • ospf_filter_area (tuple) – OSPF filter on area
  • ospf_filter_tag (tuple) – OSPF filter on tag
  • bgp_filter_community (tuple) – BGP filter on community
  • bgp_filter_extended_community (tuple) – BGP filter on extended community
class pandevice.network.RedistributionProfileBase(*args, **kwargs)[source]

Redistribution Profile

Parameters:
  • name (str) – Name of profile
  • priority (int) – Priority id
  • action (str) – ‘no-redist’ or ‘redist’
  • filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’
  • filter_interface (tuple) – Filter interface
  • filter_destination (tuple) – Filter destination
  • filter_nexthop (tuple) – Filter nexthop
  • ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2
  • ospf_filter_area (tuple) – OSPF filter on area
  • ospf_filter_tag (tuple) – OSPF filter on tag
  • bgp_filter_community (tuple) – BGP filter on community
  • bgp_filter_extended_community (tuple) – BGP filter on extended community
class pandevice.network.RedistributionProfileIPv6(*args, **kwargs)[source]

Redistribution Profile

Parameters:
  • name (str) – Name of profile
  • priority (int) – Priority id
  • action (str) – ‘no-redist’ or ‘redist’
  • filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’
  • filter_interface (tuple) – Filter interface
  • filter_destination (tuple) – Filter destination
  • filter_nexthop (tuple) – Filter nexthop
  • ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2
  • ospf_filter_area (tuple) – OSPF filter on area
  • ospf_filter_tag (tuple) – OSPF filter on tag
  • bgp_filter_community (tuple) – BGP filter on community
  • bgp_filter_extended_community (tuple) – BGP filter on extended community
class pandevice.network.StaticMac(*args, **kwargs)[source]

Static MAC address for a Vlan

Can be added to a pandevice.network.Vlan object

Parameters:interface (str) – Name of an interface
class pandevice.network.StaticRoute(*args, **kwargs)[source]

Static Route

Add to a pandevice.network.VirtualRouter instance.

Parameters:
  • name (str) – The name
  • destination (str) – Destination network
  • nexthop_type (str) – ip-address, discard, or next-vr
  • nexthop (str) – Next hop IP address or Next VR Name
  • interface (str) – Next hop interface
  • admin_dist (str) – Administrative distance
  • metric (int) – Metric (Default: 10)
class pandevice.network.StaticRouteV6(*args, **kwargs)[source]

IPV6 Static Route

Add to a pandevice.network.VirtualRouter instance.

Parameters:
  • name (str) – The name
  • destination (str) – Destination network
  • nexthop_type (str) – ip-address or discard
  • nexthop (str) – Next hop IP address
  • interface (str) – Next hop interface
  • admin_dist (str) – Administrative distance
  • metric (int) – Metric (Default: 10)
class pandevice.network.Subinterface(*args, **kwargs)[source]

Subinterface class

Do not instantiate this object. Use a subclass.

set_name()[source]

Create a name appropriate for a subinterface if it isn’t already

class pandevice.network.TunnelInterface(*args, **kwargs)[source]

Tunnel interface

Parameters:
  • ip (tuple) – Interface IPv4 addresses
  • ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)
  • management_profile (ManagementProfile) – Interface Management Profile
  • mtu (int) – MTU for interface
  • netflow_profile (NetflowProfile) – Netflow profile
  • comment (str) – The interface’s comment
class pandevice.network.VirtualRouter(*args, **kwargs)[source]

Virtual router

Parameters:
  • name (str) – Name of virtual router (Default: “default”)
  • interface (list) – List of interface names
  • ad_static (int) – Administrative distance for this protocol
  • ad_static_ipv6 (int) – Administrative distance for this protocol
  • ad_ospf_int (int) – Administrative distance for this protocol
  • ad_ospf_ext (int) – Administrative distance for this protocol
  • ad_ospfv3_int (int) – Administrative distance for this protocol
  • ad_ospfv3_ext (int) – Administrative distance for this protocol
  • ad_ibgp (int) – Administrative distance for this protocol
  • ad_ebgp (int) – Administrative distance for this protocol
  • ad_rip (int) – Administrative distance for this protocol
class pandevice.network.VirtualWire(*args, **kwargs)[source]

Virtual wires (vwire)

Parameters:
  • name (str) – The vwire name
  • tag (int) – Tag for the interface, aka vlan id
  • interface1 (str) – The first interface to use
  • interface2 (str) – The second interface to use
  • multicast (bool) – Enable multicast firewalling or not
  • pass_through (bool) – Enable link state pass through or not
class pandevice.network.Vlan(*args, **kwargs)[source]
Parameters:
  • interface (list) – List of interface names
  • virtual-interface (VlanInterface) – The layer3 vlan interface for this vlan
class pandevice.network.VlanInterface(*args, **kwargs)[source]

Vlan interface

Parameters:
  • ip (tuple) – Interface IPv4 addresses
  • ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)
  • management_profile (ManagementProfile) – Interface Management Profile
  • mtu (int) – MTU for interface
  • adjust_tcp_mss (bool) – Adjust TCP MSS
  • netflow_profile (NetflowProfile) – Netflow profile
  • comment (str) – The interface’s comment
  • ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4
  • ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6
  • enable_dhcp (bool) – Enable DHCP on this interface
  • create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server
  • dhcp_default_route_metric (int) – Metric for the DHCP default route
set_vlan_interface(vlan_name, refresh=False, update=False, running_config=False, return_type='object')[source]

Sets the VLAN’s VLAN interface to this VLAN interface

Creates a reference to this interface in the specified vlan and removes references to this interface from all other VLANs. The vlan will be created if it doesn’t exist.

Parameters:
  • vlan_name (str) – The name of the vlan or a pandevice.network.Vlan instance
  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
  • update (bool) – Apply the changes to the device (Default: False)
  • running_config – If refresh is True, refresh from the running configuration (Default: False)
  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Vlan in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).
Returns:

The VLAN for this interface after the operation completes

Return type:

Vlan

class pandevice.network.Zone(*args, **kwargs)[source]

Security zone

Parameters:
  • name (str) – Name of the zone
  • mode (str) – The mode of the security zone. Must match the mode of the interface. Possible values: tap, virtual-wire, layer2, layer3, external
  • interface (list) – List of interface names or instantiated subclasses of pandevice.network.Interface.
  • zone_profile (str) – Zone protection profile
  • log_setting (str) – Log forwarding setting
  • enable_user_identification (bool) – If user identification is enabled
  • include_acl (list/str) – User identification ACL include list
  • exclude_acl (list/str) – User identification ACL exclude list
pandevice.network.interface(name, *args, **kwargs)[source]

Interface object factory

Creates an interface object of type determined by the name of the interface.

Parameters:
  • name (str) – Name of the interface to create (eg. ethernet1/1.5)
  • mode (str) – Mode of the interface. Possible values: layer3, layer2, virtual-wire, tap, ha, aggregate-group. Default: None
Keyword Arguments:
 

tag (int) – Tag for the interface, aka vlan id

Returns:

An instantiated subclass of pandevice.network.Interface

Return type:

Interface