The Device Framework is a mechanism for interacting with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The Device Framework is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.

• Documentation: http://pandevice.readthedocs.io
• Overview: http://paloaltonetworks.github.io/pandevice
• Free software: ISC License

• Object model of Firewall and Panorama configuration
• Multiple connection methods including Panorama as a proxy
• All operations natively vsys-aware
• Support for high availability pairs and retry/recovery during node failure
• Batch User-ID operations
• Device API exception classification

Palo Alto Networks Device Framework is considered alpha. It is fully tested and used in many production environments, but it maintains alpha status because the API interface could change at any time without notification. Please be prepared to modify your scripts to work with each subsequent version of this package because backward compatibility is not guaranteed.

The easiest method to install pandevice is using pip:

pip install pandevice

Or, if you have virtualenvwrapper installed:

$ mkvirtualenv pandevice
$ pip install pandevice

Pip will install the pan-python library as a dependency.

Upgrade to the latest version:

pip install --upgrade pandevice

To use Palo Alto Networks Device Framework in a project:

import pandevice

You can also be more specific about which modules you want to import:

from pandevice import firewall
from pandevice import network

For configuration tasks, create a tree structure using the classes in each module. Nodes hierarchy must follow the model in the Configuration Tree.

The following examples assume the modules were imported as such:

from pandevice import firewall
from pandevice import network

Create a subinterface and commit:

fw = firewall.Firewall("10.0.0.1", api_username="admin", api_password="admin")
eth = fw.add(network.EthernetInterface("ethernet1/1", mode="layer3"))
subeth = eth.add(network.Layer3Subinterface("ethernet1/1.30", ip="4.4.4.4/24", tag=30))
subeth.create()
fw.commit()

Operational commands leverage the 'op' method of the device:

fw = firewall.Firewall("10.0.0.1", api_username="admin", api_password="admin")
print fw.op("show system info")

Some operational commands have methods to refresh the variables in an object:

# populates the version, serial, and model variables from the live device
fw.refresh_system_info()

See more examples in the Usage Guide.

PAN-OS 8.0 by default does not allow connections to the API with TLS 1.0. Unfortunately, the latest OSX and many linux distros come with OpenSSL versions that don't support TLS 1.1 or 1.2. OpenSSL 1.0.1 or higher is needed to connect to PAN-OS 8.0. If you try to connect with a lower version of OpenSSL, you'll get a connection error. There are two solutions:

Option 1: Upgrade OpenSSL (more secure)

Mac OSX: In Mac OSX you can't upgrade the built-in OpenSSL, but you can install your own python and OpenSSL using Homebrew. Follow this guide to get set up: Definitive guide to python on OSX

Linux: Use the instructions for your distribution's package manager to upgrade OpenSSL to 1.0.1 or higher.

Option 2: Enable TLS 1.0 on PAN-OS (less secure)

Follow the direction in the PAN-OS Administrator Guide: Replace the Certificate for Inbound Management Traffic

• Brian Torres-Gil - github
• Garfield Freeman - github
• John Anderson - github
• Aditya Sripal - github

Thank you to Kevin Steves, creator of the pan-python library:

https://github.com/kevinsteves/pan-python