Module: panorama

Inheritance diagram

Inheritance diagram of panos.panorama

Configuration tree diagram

digraph configtree { graph [rankdir=LR, fontsize=10, margin=0.001]; node [shape=box, fontsize=10, height=0.001, margin=0.1, ordering=out]; DeviceGroup [style=filled fillcolor=darkseagreen2 URL="../module-panorama.html#panos.panorama.DeviceGroup" target="_top"]; Firewall [style=filled fillcolor=lightblue URL="../module-firewall.html#panos.firewall.Firewall" target="_top"]; DeviceGroup -> Firewall; AddressGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.AddressGroup" target="_top"]; DeviceGroup -> AddressGroup; AddressObject [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.AddressObject" target="_top"]; DeviceGroup -> AddressObject; ApplicationFilter [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ApplicationFilter" target="_top"]; DeviceGroup -> ApplicationFilter; ApplicationGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ApplicationGroup" target="_top"]; DeviceGroup -> ApplicationGroup; ApplicationObject [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ApplicationObject" target="_top"]; DeviceGroup -> ApplicationObject; CustomUrlCategory [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.CustomUrlCategory" target="_top"]; DeviceGroup -> CustomUrlCategory; LogForwardingProfile [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.LogForwardingProfile" target="_top"]; DeviceGroup -> LogForwardingProfile; Region [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.Region" target="_top"]; DeviceGroup -> Region; ScheduleObject [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ScheduleObject" target="_top"]; DeviceGroup -> ScheduleObject; SecurityProfileGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.SecurityProfileGroup" target="_top"]; DeviceGroup -> SecurityProfileGroup; ServiceGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ServiceGroup" target="_top"]; DeviceGroup -> ServiceGroup; ServiceObject [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ServiceObject" target="_top"]; DeviceGroup -> ServiceObject; PostRulebase [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.PostRulebase" target="_top"]; DeviceGroup -> PostRulebase; PreRulebase [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.PreRulebase" target="_top"]; DeviceGroup -> PreRulebase; Panorama [style=filled fillcolor=darkseagreen2 URL="../module-panorama.html#panos.panorama.Panorama" target="_top"]; Administrator [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.Administrator" target="_top"]; Panorama -> Administrator; EmailServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.EmailServerProfile" target="_top"]; Panorama -> EmailServerProfile; HttpServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.HttpServerProfile" target="_top"]; Panorama -> HttpServerProfile; PasswordProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.PasswordProfile" target="_top"]; Panorama -> PasswordProfile; SnmpServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.SnmpServerProfile" target="_top"]; Panorama -> SnmpServerProfile; SyslogServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.SyslogServerProfile" target="_top"]; Panorama -> SyslogServerProfile; Panorama -> Firewall; Panorama -> DeviceGroup; Template [style=filled fillcolor=darkseagreen2 URL="../module-panorama.html#panos.panorama.Template" target="_top"]; Panorama -> Template; TemplateStack [style=filled fillcolor=darkseagreen2 URL="../module-panorama.html#panos.panorama.TemplateStack" target="_top"]; Panorama -> TemplateStack; Template -> Administrator; Template -> PasswordProfile; SystemSettings [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.SystemSettings" target="_top"]; Template -> SystemSettings; Vsys [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.Vsys" target="_top"]; Template -> Vsys; HighAvailability [style=filled fillcolor=lavender URL="../module-ha.html#panos.ha.HighAvailability" target="_top"]; Template -> HighAvailability; AggregateInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.AggregateInterface" target="_top"]; Template -> AggregateInterface; EthernetInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.EthernetInterface" target="_top"]; Template -> EthernetInterface; GreTunnel [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.GreTunnel" target="_top"]; Template -> GreTunnel; IkeCryptoProfile [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.IkeCryptoProfile" target="_top"]; Template -> IkeCryptoProfile; IkeGateway [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.IkeGateway" target="_top"]; Template -> IkeGateway; IpsecCryptoProfile [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.IpsecCryptoProfile" target="_top"]; Template -> IpsecCryptoProfile; IpsecTunnel [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.IpsecTunnel" target="_top"]; Template -> IpsecTunnel; LoopbackInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.LoopbackInterface" target="_top"]; Template -> LoopbackInterface; ManagementProfile [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.ManagementProfile" target="_top"]; Template -> ManagementProfile; TunnelInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.TunnelInterface" target="_top"]; Template -> TunnelInterface; VirtualRouter [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VirtualRouter" target="_top"]; Template -> VirtualRouter; VirtualWire [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VirtualWire" target="_top"]; Template -> VirtualWire; Vlan [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Vlan" target="_top"]; Template -> Vlan; VlanInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VlanInterface" target="_top"]; Template -> VlanInterface; TemplateVariable [style=filled fillcolor=darkseagreen2 URL="../module-panorama.html#panos.panorama.TemplateVariable" target="_top"]; Template -> TemplateVariable; TemplateStack -> Administrator; TemplateStack -> PasswordProfile; TemplateStack -> SystemSettings; TemplateStack -> Vsys; TemplateStack -> HighAvailability; TemplateStack -> AggregateInterface; TemplateStack -> EthernetInterface; TemplateStack -> GreTunnel; TemplateStack -> IkeCryptoProfile; TemplateStack -> IkeGateway; TemplateStack -> IpsecCryptoProfile; TemplateStack -> IpsecTunnel; TemplateStack -> LoopbackInterface; TemplateStack -> ManagementProfile; TemplateStack -> TunnelInterface; TemplateStack -> VirtualRouter; TemplateStack -> VirtualWire; TemplateStack -> Vlan; TemplateStack -> VlanInterface; TemplateStack -> TemplateVariable; }

Class Reference

Panorama and all Panorama related objects

class panos.panorama.DeviceGroup(*args, **kwargs)[source]

Panorama Device-group

This class and the panos.panorama.Panorama classes are the only objects that can have a panos.firewall.Firewall child object. In addition to a Firewall, a DeviceGroup can have the same children objects as a panos.firewall.Firewall or panos.device.Vsys.

See also Configuration tree diagrams

Parameters:
  • name (str) – Name of the device-group
  • tag (list) – Tags as strings
devicegroup()[source]

The nearest panos.panorama.DeviceGroup object.

This method is used to determine the device to apply this object to.

Returns:The DeviceGroup object closest to this object in the configuration tree, or None if there is no DeviceGroup in the path to this node.
Return type:DeviceGroup
vsys

Return the vsys for this object

Traverses the tree to determine the vsys from a panos.firewall.Firewall or panos.device.Vsys instance somewhere before this node in the tree.

Returns:The vsys id (eg. vsys2)
Return type:str
class panos.panorama.Panorama(hostname, api_username=None, api_password=None, api_key=None, port=443, *args, **kwargs)[source]

Panorama device

This is the only object in the configuration tree that cannot have a parent. If it is in the configuration tree, then it is the root of the tree.

Parameters:
  • hostname – Hostname or IP of device for API connections
  • api_username – Username of administrator to access API
  • api_password – Password of administrator to access API
  • api_key – The API Key for connecting to the device’s API
  • port – Port of device for API connections
  • timeout – The timeout for asynchronous jobs
  • interval – The interval to check asynchronous jobs
FIREWALL_CLASS

alias of panos.firewall.Firewall

commit_all(sync=False, sync_all=True, exception=False, devicegroup=None, serials=(), cmd=None, description=None, include_template=None)[source]

Trigger a commit-all (commit to devices) on Panorama

NOTE: Use the new panorama.PanoramaCommitAll with commit() instead.

Parameters:
  • sync (bool) – Block until the Panorama commit is finished (Default: False)
  • sync_all (bool) – Block until every Firewall commit is finished, requires sync=True (Default: False)
  • exception (bool) – Create an exception on commit errors (Default: False)
  • devicegroup (str) – Limit commit-all to a single device-group
  • serials (list) – Limit commit-all to these serial numbers
  • cmd (str) – Commit options in XML format
  • description – Commit description
  • include_template (bool) – Include template changes in this push
Returns:

Commit results

Return type:

dict

generate_vm_auth_key(lifetime)[source]

Generates a VM auth key to be placed in a VM’s init-cfg.txt.

Parameters:lifetime (int) – The lifetime (in hours).
Raises:PanDeviceError
Returns:has “authkey” and “expires” keys.
Return type:dict
get_vm_auth_keys()[source]

Returns the current VM auth keys.

Raises:PanDeviceError
Returns:list of dicts. Each dict has “authkey” and “expires” keys.
Return type:list
op(cmd=None, vsys=None, xml=False, cmd_xml=True, extra_qs=None, retry_on_peer=False)[source]

Perform operational command on this Panorama

Parameters:
  • cmd (str) – The operational command to execute
  • vsys (str) – Ignored for Panorama
  • xml (bool) – Return value should be a string (Default: False)
  • cmd_xml (bool) – True: cmd is not XML, False: cmd is XML (Default: True)
  • extra_qs – Extra parameters for API call
  • retry_on_peer (bool) – Try on active Firewall first, then try on passive Firewall
Returns:

The result of the operational command. May also return a string of XML if xml=True

Return type:

xml.etree.ElementTree

panorama()[source]

The nearest panos.panorama.Panorama object.

This method is used to determine the device to apply this object to.

Returns:
The Panorama object closest to this object in the
configuration tree
Return type:Panorama
Raises:PanDeviceNotSet – There is no Panorama object in the tree.
refresh_devices(devices=(), only_connected=False, expand_vsys=True, include_device_groups=True, add=False, running_config=False)[source]

Refresh device groups and devices using config and operational commands

Uses operational command in addition to configuration to gather as much information as possible about Panorama connected devices. The operational commands used are ‘show devices all/connected’ and ‘show devicegroups’.

Information gathered about each device includes:

  • management IP address (can be different from hostname)
  • serial
  • version
  • high availability peer releationships
  • panorama connection status
  • device-group sync status
Parameters:
  • devices (list) – Limit refresh to these serial numbers
  • only_connected (bool) – Ignore devices that are not ‘connected’ to Panorama (Default: False)
  • expand_vsys (bool) – Instantiate a Firewall object for every Vsys (Default: True)
  • include_device_groups (bool) – Instantiate panos.panorama.DeviceGroup objects with Firewall objects added to them.
  • add (bool) – Add the new tree of instantiated DeviceGroup and Firewall objects to the Panorama config tree. Warning: This removes all current DeviceGroup and Firewall objects from the configuration tree, and all their children, so it is typically done before building a configuration tree. (Default: False)
  • running_config (bool) – Refresh devices from the running configuration (Default: False)
Returns:

If ‘include_device_groups’ is True, returns a list containing new DeviceGroup instances which contain new Firewall instances. Any Firewall that is not in a device-group is in the list with the DeviceGroup instances. If ‘include_device_groups’ is False, returns a list containing new Firewall instances.

Return type:

list

class panos.panorama.PanoramaCommit(description=None, admins=None, device_groups=None, templates=None, template_stacks=None, wildfire_appliances=None, wildfire_clusters=None, log_collectors=None, log_collector_groups=None, exclude_device_and_network=False, exclude_shared_objects=False, force=False)[source]

Normalization of a Panorama commit.

element()[source]

Returns an xml representation of the commit requested.

Returns:xml.etree.ElementTree
class panos.panorama.PanoramaCommitAll(style, name, description=None, include_template=None, force_template_values=None, devices=None)[source]

Normalization of a Panorama commit all.

element()[source]

Returns an xml representation of the commit all.

Returns:xml.etree.ElementTree
class panos.panorama.Template(*args, **kwargs)[source]

A panorama template.

Parameters:
  • name – Template name
  • description – Description
  • devices (str/list) – The list of serial numbers in this template
  • default_vsys – The default vsys in case of a single vsys firewall
  • multi_vsys (bool) – (6.1 and lower) Multi virtual systems boolean
  • mode – (6.1 and lower) Can be fips, cc, or normal (default: normal)
  • vpn_disable_mode (bool) – (6.1 and lower) VPN disable mode
apply_similar()[source]

Bulk apply all objects similar to this one.

Modifies the live device

This is similar to apply(), except instead of calling apply only on this object, it calls apply for all objects that share the same xpath as this object, recursively searching the entire object tree from the nearest firewall or panorama instance.

As an example, if you called apply_similar on an object representing ethernet1/5.42, all of the subinterfaces for ethernet1/5 would be included in the resulting XML document, regardless of which vsys those subinterfaces existed in.

Since apply does a replace of the config at the given xpath, please be careful when using this function that all objects, whether they be updated or not, exist in your pan-os-python object tree.

create_similar()[source]

Bulk create all objects similar to this one.

Modifies the live device

This is similar to create(), except instead of calling create only on this object, it calls create for all objects that share the same xpath as this object, recursively searching the entire object tree from the nearest firewall or panorama instance.

As an example, if you called create_similar on an object representing ethernet1/5.42, all of the subinterfaces for ethernet1/5 would be included in the resulting XML document, regardless of which vsys those subinterfaces existed in.

delete_similar()[source]

Bulk delete all objects similar to this one.

Modifies the live device

This is similar to delete(), except instead of calling delete only on this object, it calls delete for all objects that share the same xpath as this object, recursively searching the entire object tree from the nearest firewall or panorama instance.

As an example, if you called delete_similar on an object representing ethernet1/5.42, all of the subinterfaces in your pan-os-python object tree for ethernet1/5 would be removed.

class panos.panorama.TemplateStack(*args, **kwargs)[source]

Template stack.

NOTE: Template stacks were introduced in PAN-OS 7.0. Attempting to use this class on PAN-OS 6.1 or earlier will result in an error.

Parameters:
  • name – Stack name
  • description – The description
  • templates (str/list) – The list of templates in this stack
  • devices (str/list) – The list of serial numbers in this template
apply_similar()[source]

Bulk apply all objects similar to this one.

Modifies the live device

This is similar to apply(), except instead of calling apply only on this object, it calls apply for all objects that share the same xpath as this object, recursively searching the entire object tree from the nearest firewall or panorama instance.

As an example, if you called apply_similar on an object representing ethernet1/5.42, all of the subinterfaces for ethernet1/5 would be included in the resulting XML document, regardless of which vsys those subinterfaces existed in.

Since apply does a replace of the config at the given xpath, please be careful when using this function that all objects, whether they be updated or not, exist in your pan-os-python object tree.

create_similar()[source]

Bulk create all objects similar to this one.

Modifies the live device

This is similar to create(), except instead of calling create only on this object, it calls create for all objects that share the same xpath as this object, recursively searching the entire object tree from the nearest firewall or panorama instance.

As an example, if you called create_similar on an object representing ethernet1/5.42, all of the subinterfaces for ethernet1/5 would be included in the resulting XML document, regardless of which vsys those subinterfaces existed in.

delete_similar()[source]

Bulk delete all objects similar to this one.

Modifies the live device

This is similar to delete(), except instead of calling delete only on this object, it calls delete for all objects that share the same xpath as this object, recursively searching the entire object tree from the nearest firewall or panorama instance.

As an example, if you called delete_similar on an object representing ethernet1/5.42, all of the subinterfaces in your pan-os-python object tree for ethernet1/5 would be removed.

class panos.panorama.TemplateVariable(*args, **kwargs)[source]

Template or template stack variable.

Parameters:
  • name – The name.
  • value – The variable value.
  • variable_type – The variable type: * ip-netmask (default) * ip-range * fqdn * group-id * interface * device-priority (PAN-OS 9.0+) * device-id (PAN-OS 9.0+)