Module: firewall

Inheritance diagram

Inheritance diagram of panos.firewall

Configuration tree diagram

digraph configtree { graph [rankdir=LR, fontsize=10, margin=0.001]; node [shape=box, fontsize=10, height=0.001, margin=0.1, ordering=out]; Firewall [style=filled fillcolor=lightblue URL="../module-firewall.html#panos.firewall.Firewall" target="_top"]; Administrator [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.Administrator" target="_top"]; Firewall -> Administrator; AuthenticationProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.AuthenticationProfile" target="_top"]; Firewall -> AuthenticationProfile; AuthenticationSequence [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.AuthenticationSequence" target="_top"]; Firewall -> AuthenticationSequence; CertificateProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.CertificateProfile" target="_top"]; Firewall -> CertificateProfile; EmailServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.EmailServerProfile" target="_top"]; Firewall -> EmailServerProfile; HttpServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.HttpServerProfile" target="_top"]; Firewall -> HttpServerProfile; LdapServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.LdapServerProfile" target="_top"]; Firewall -> LdapServerProfile; LocalUserDatabaseGroup [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.LocalUserDatabaseGroup" target="_top"]; Firewall -> LocalUserDatabaseGroup; LocalUserDatabaseUser [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.LocalUserDatabaseUser" target="_top"]; Firewall -> LocalUserDatabaseUser; LogSettingsConfig [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.LogSettingsConfig" target="_top"]; Firewall -> LogSettingsConfig; LogSettingsSystem [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.LogSettingsSystem" target="_top"]; Firewall -> LogSettingsSystem; PasswordProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.PasswordProfile" target="_top"]; Firewall -> PasswordProfile; SnmpServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.SnmpServerProfile" target="_top"]; Firewall -> SnmpServerProfile; SslDecrypt [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.SslDecrypt" target="_top"]; Firewall -> SslDecrypt; SyslogServerProfile [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.SyslogServerProfile" target="_top"]; Firewall -> SyslogServerProfile; SystemSettings [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.SystemSettings" target="_top"]; Firewall -> SystemSettings; Telemetry [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.Telemetry" target="_top"]; Firewall -> Telemetry; Vsys [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.Vsys" target="_top"]; Firewall -> Vsys; VsysResources [style=filled fillcolor=lightpink URL="../module-device.html#panos.device.VsysResources" target="_top"]; Firewall -> VsysResources; HighAvailability [style=filled fillcolor=lavender URL="../module-ha.html#panos.ha.HighAvailability" target="_top"]; Firewall -> HighAvailability; AggregateInterface [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> AggregateInterface; Dhcp [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> Dhcp; EthernetInterface [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> EthernetInterface; GreTunnel [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> GreTunnel; IkeCryptoProfile [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> IkeCryptoProfile; IkeGateway [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> IkeGateway; IpsecCryptoProfile [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> IpsecCryptoProfile; IpsecTunnel [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> IpsecTunnel; Layer2Subinterface [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> Layer2Subinterface; Layer3Subinterface [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> Layer3Subinterface; LoopbackInterface [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> LoopbackInterface; ManagementProfile [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> ManagementProfile; TunnelInterface [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> TunnelInterface; VirtualRouter [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> VirtualRouter; VirtualWire [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> VirtualWire; Vlan [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> Vlan; VlanInterface [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> VlanInterface; Zone [style=filled fillcolor=lightcyan URL="../" target="_top"]; Firewall -> Zone; AddressGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.AddressGroup" target="_top"]; Firewall -> AddressGroup; AddressObject [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.AddressObject" target="_top"]; Firewall -> AddressObject; ApplicationContainer [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ApplicationContainer" target="_top"]; Firewall -> ApplicationContainer; ApplicationFilter [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ApplicationFilter" target="_top"]; Firewall -> ApplicationFilter; ApplicationGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ApplicationGroup" target="_top"]; Firewall -> ApplicationGroup; ApplicationObject [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ApplicationObject" target="_top"]; Firewall -> ApplicationObject; ApplicationTag [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ApplicationTag" target="_top"]; Firewall -> ApplicationTag; CustomUrlCategory [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.CustomUrlCategory" target="_top"]; Firewall -> CustomUrlCategory; DynamicUserGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.DynamicUserGroup" target="_top"]; Firewall -> DynamicUserGroup; Edl [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.Edl" target="_top"]; Firewall -> Edl; LogForwardingProfile [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.LogForwardingProfile" target="_top"]; Firewall -> LogForwardingProfile; Region [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.Region" target="_top"]; Firewall -> Region; ScheduleObject [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ScheduleObject" target="_top"]; Firewall -> ScheduleObject; SecurityProfileGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.SecurityProfileGroup" target="_top"]; Firewall -> SecurityProfileGroup; ServiceGroup [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ServiceGroup" target="_top"]; Firewall -> ServiceGroup; ServiceObject [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.ServiceObject" target="_top"]; Firewall -> ServiceObject; Tag [style=filled fillcolor=lemonchiffon URL="../module-objects.html#panos.objects.Tag" target="_top"]; Firewall -> Tag; Rulebase [style=filled fillcolor=lightsalmon URL="../module-policies.html#panos.policies.Rulebase" target="_top"]; Firewall -> Rulebase; }

Class Reference

Palo Alto Networks Firewall object

class panos.firewall.Firewall(hostname=None, api_username=None, api_password=None, api_key=None, serial=None, port=443, vsys=None, is_virtual=None, multi_vsys=None, *args, **kwargs)[source]

A Palo Alto Networks Firewall

This object can represent a firewall physical chassis, virtual firewall, or individual vsys.

  • hostname – Hostname or IP of device for API connections
  • api_username – Username of administrator to access API
  • api_password – Password of administrator to access API
  • api_key – The API Key for connecting to the device’s API
  • serial – The serial number of this firewall
  • port – Port of device for API connections
  • vsys – The vsys of this firewall (eg. “vsys1”, “vsys2”, etc.)
  • is_virtual (bool) – Physical or Virtual firewall
  • timeout – The timeout for asynchronous jobs
  • interval – The interval to check asynchronous jobs

Apply this object to the device, replacing any existing object of the same name

Modifies the live device


Create this object on the device

Modifies the live device

This method is nondestructive. If the object exists, the variables are added to the device without changing existing variables on the device. If a variables already exists on the device and this object has a different value, the value on the firewall is changed to the value in this object.


Create the vsys on the live device that this Firewall object represents


Delete this object from the firewall

Modifies the live device


Delete the vsys on the live device that this Firewall object represents


Construct an ElementTree for this PanObject and all its children

  • with_children (bool) – Include children in element.
  • comparable (bool) – Element will be used in a comparison with another.

An ElementTree instance representing the

xml form of this object and its children

Return type:


op(cmd=None, vsys=None, xml=False, cmd_xml=True, extra_qs=None, retry_on_peer=False, quote='"')[source]

Perform operational command on this Firewall

Operational commands are most any command that is not a debug or config command. These include many ‘show’ commands such as show system info.

When passing the cmd as a command string (not XML) you must include any non-keyword strings in the command inside double quotes ("). Here’s some examples:

# The string "facebook-base" must be in quotes because it is not a keyword
fw.op('clear session all filter application "facebook-base"')

# The string "ethernet1/1" must be in quotes because it is not a keyword
fw.op('show interface "ethernet1/1"')

# Using an alternative quote character to get DHCP info on ethernet1/1
fw.op('show dhcp client state `ethernet1/1`', quote='`')
  • cmd (str) – The operational command to execute
  • vsys (str) – Vsys id. Defaults to the vsys of the firewall or the Vsys object in the parent tree.
  • xml (bool) – Return value should be a string (Default: False)
  • cmd_xml (bool) – True: cmd is not XML, False: cmd is XML (Default: True)
  • extra_qs – Extra parameters for API call
  • retry_on_peer (bool) – Try on active Firewall first, then try on passive Firewall
  • quote (str) – The quote character when the supplied cmd is a string and cmd_xml=True

The result of the operational command. May also return a string of XML if xml=True

Return type:


organize_into_vsys(create_vsys_objects=True, refresh_vsys=True)[source]

Organizes all imported objects under the appropriate Vsys object.

  • create_vsys_objects (bool) – Create the vsys objects (True) or use the ones already connected to this firewall (False).
  • refresh_vsys (bool) – Refresh all vsys objects’ parameters before doing the reorganization or not. This is assumed True if create_vsys_objects is True.
refreshall_from_xml(xml, refresh_children=False, variables=None)[source]

Factory method to instantiate class from firewall config.

This method is a factory for the class. It takes an xml config from a firewall and generates instances of this class for each item this class represents in the xml config. For example, if the class is AddressObject and there are 5 address objects on the firewall, then this method will generate 5 instances of the class AddressObject.

  • xml (xml.etree.ElementTree) – A section of XML configuration from a firewall or Panorama. It should not contain the response or result tags.
  • refresh_children (bool) – Refresh children objects or not.
  • variables (iterable) – A list or tuple of the variables to parse from the XML. Note that this is only used when invoked against classes not derived from VersionedPanObject.

created instances of class

Return type:


shared = None

Set to True to act on the shared part of this firewall

state = None

Panorama state variables refreshed by Panorama


Return the vsys for this object

Traverses the tree to determine the vsys from a panos.firewall.Firewall or panos.device.Vsys instance somewhere before this node in the tree.

Returns:The vsys id (eg. vsys2)
Return type:str
class panos.firewall.FirewallCommit(description=None, admins=None, exclude_device_and_network=False, exclude_shared_objects=False, exclude_policy_and_objects=False, force=False)[source]

Normalization of a firewall commit.

Instances of this class can be passed in to Firewall.commit() (inherited from panos.base.PanDevice.commit()) as the cmd parameter.

  • description (str) – The commit message.
  • admins (list) – (PAN-OS 8.0+) List of admins whose changes are to be committed.
  • exclude_device_and_network (bool) – Set to True to exclude device and network changes.
  • exclude_shared_objects (bool) – Set to True to exclude shared objects changes.
  • exclude_policy_and_objects (bool) – Set to True to exclude policy and objects changes.
  • force (bool) – Set to True to force a commit even if one is not needed.

Returns an xml representation of the commit requested.