Module: network

Inheritance diagram

Configuration tree diagram

Class Reference

Network module contains objects that exist in the ‘Network’ tab in the firewall GUI

class panos.network.AbstractSubinterface(name, tag, parent=None)

When a subinterface is needed, but the layer is unknown

Kindof like a placeholder or reference for a Layer2Subinterface or Layer3Subinterface. This class gets a parent which is the ethernet or aggregate interface, but it should not be added to the parent interface with add().

Parameters:

• name (str) – Name of the interface (eg. ethernet1/1.5)
• tag (int) – Tag for the interface, aka vlan id
• parent (Interface) – The base interface for this subinterface

delete()

Deletes both Layer3 and Layer2 subinterfaces by name

This is necessary because an AbstractSubinterface’s mode is unknown.

get_layered_subinterface(mode, add=True)

Instantiate a regular subinterface type from this AbstractSubinterface

Converts an abstract subinterface to a real subinterface by offering it a mode.

Parameters:

• mode (str) – Mode of the subinterface (‘layer3’ or ‘layer2’)
• add (bool) – Add the newly instantiated subinterface to the base interface object

Returns:

A panos.network.Layer3Subinterface or panos.network.Layer2Subinterface instance, depending on the mode argument

Return type:

Subinterface

nearest_pandevice()

The PanDevice parent for this instance

Returns:Parent PanDevice instance (Firewall or Panorama) Return type:PanDevice

set_name()

Create a name appropriate for a subinterface if it isn’t already created

Example

If self.name is ‘ethernet1/1’ and self.tag is 5, this method will change the name to ‘ethernet1/1.5’.

set_virtual_router(virtual_router_name, refresh=False, update=False, running_config=False)

Set the virtual router for this interface

Creates a reference to this interface in the specified virtual router and removes references to this interface from all other virtual routers. The virtual router will be created if it doesn’t exist.

Parameters:

• virtual_router_name (str) – The name of the VirtualRouter or a panos.network.VirtualRouter instance
• refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
• update (bool) – Apply the changes to the device (Default: False)
• running_config – If refresh is True, refresh from the running configuration (Default: False)

Returns:

The zone for this interface after the operation completes

Return type:

Zone

class panos.network.AggregateInterface(*args, **kwargs)

Aggregate interface (eg. ‘ae1’)

Parameters:

• name (str) – Name of interface (eg. ‘ae1’)
• mode (str) –

  Mode of the interface:

  • layer3
  • layer2
  • virtual-wire
  • ha

  Not all modes apply to all interface types (Default: layer3)

• ip (tuple) – Layer3: Interface IPv4 addresses
• ipv6_enabled (bool) – Layer3: IPv6 Enabled (requires IPv6Address child object)
• management_profile (ManagementProfile) – Layer3: Interface Management Profile
• mtu (int) – Layer3: MTU for interface
• adjust_tcp_mss (bool) – Layer3: Adjust TCP MSS
• netflow_profile (str) – Netflow profile
• lldp_enabled (bool) – Enable LLDP
• lldp_profile (str) – Reference to an lldp profile
• comment (str) – The interface’s comment
• ipv4_mss_adjust (int) – Layer3: TCP MSS adjustment for ipv4
• ipv6_mss_adjust (int) – Layer3: TCP MSS adjustment for ipv6
• enable_dhcp (bool) – Enable DHCP on this interface
• create_dhcp_default_route (bool) – Layer3: Create default route pointing to default gateway provided by server
• dhcp_default_route_metric (int) – Layer3: Metric for the DHCP default route
• lacp_enable (bool) – Enables LACP
• lacp_passive_pre_negotiation (bool) – Enable LACP passive pre-negotiation, off by default
• lacp_mode (str) – Set LACP mode to ‘active’ or ‘passive’
• lacp_rate (str) – Set LACP transmission-rate to ‘fast’ or ‘slow’
• lacp_fast_failover (bool) – Enable fast failover for LACP

class panos.network.Arp(*args, **kwargs)

Static ARP Mapping

Can be added to various interfaces.

Parameters:

• ip (str) – The IP address
• hw_address (str) – The MAC address for the static ARP
• interface (str) – The interface (when attached to VlanInterface only)

class panos.network.Bgp(*args, **kwargs)

BGP Process

Parameters:

• enable (bool) – Enable BGP (Default: True)
• router_id (str) – Router ID in IP format (eg. 1.1.1.1)
• reject_default_route (bool) – Reject default route
• allow_redist_default_route (bool) – Allow redistribution in default route
• install_route (bool) – Populate BGP learned route to global route table
• ecmp_multi_as (bool) – Support multiple AS in ECMP
• enforce_first_as (bool) – Enforce First AS for EBGP
• local_as (int) – local AS number
• global_bfd_profile (str) – BFD Profile

class panos.network.BgpAuthProfile(*args, **kwargs)

BGP Authentication Profile

Parameters:

• name (str) – Name of Auth Profile
• secret (str) – shared secret for the TCP MD5 authentication.

class panos.network.BgpDampeningProfile(*args, **kwargs)

BGP Dampening Profile

Parameters:

• name (str) – Name of Dampening Profile
• enable (bool) – Enable profile (Default: True)
• cutoff (float) – Cutoff threshold value
• reuse (float) – Reuse threshold value
• max_hold_time (int) – Maximum of hold-down time (in seconds)
• decay_half_life_reachable (int) – Decay half-life while reachable (in seconds)
• decay_half_life_unreachable (int) – Decay half-life while unreachable (in seconds)

class panos.network.BgpOutboundRouteFilter(*args, **kwargs)

BGP Outbound Route Filtering

NOTE: This functionality is not enabled yet in PanOS

Parameters:

• enable (bool) – enable prefix-based outbound route filtering.
• max_received_entries (int) – maximum of ORF prefixes to receive.
• cisco_prefix_mode (bool) – ORF vendor-compatible mode

class panos.network.BgpPeer(*args, **kwargs)

BGP Peer

Parameters:

• name (str) – Name of BGP Peer
• enable (bool) – Enable Peer (Default: True)
• peer_as (str) – peer AS number
• enable_mp_bgp (bool) – enable MP-BGP extentions
• address_family_identifier (str) – peer address family type * ipv4 * ipv6
• subsequent_address_unicast (bool) – select SAFI for this peer
• subsequent_address_multicast (bool) – select SAFI for this peer
• local_interface (str) – interface to accept BGP session
• local_interface_ip (str) – specify exact IP address if interface has multiple addresses
• peer_address_ip (str) – IP address of peer
• connection_authentication (str) – BGP auth profile name
• connection_keep_alive_interval (int) – keep-alive interval (in seconds)
• connection_min_route_adv_interval (int) – Minimum Route Advertisement Interval (in seconds)
• connection_multihop (int) – IP TTL value used for sending BGP packet. set to 0 means eBGP use 2, iBGP use 255
• connection_open_delay_time (int) – open delay time (in seconds)
• connection_hold_time (int) – hold time (in seconds)
• connection_idle_hold_time (int) – idle hold time (in seconds)
• connection_incoming_allow (bool) – allow incoming connections
• connection_outgoing_allow (bool) – allow outgoing connections
• connection_incoming_remote_port (int) – restrict remote port for incoming BGP connections
• connection_outgoing_local_port (int) – use specific local port for outgoing BGP connections
• enable_sender_side_loop_detection (bool) –
• reflector_client (str) –
  • non-client
  • client
  • meshed-client
• peering_type (str) –
  • unspecified
  • bilateral
• max_prefixes (int) – maximum of prefixes to receive from peer
• bfd_profile (str) – BFD configuration * Inherit-vr-global-setting * None * Pre-existing BFD profile name * None

class panos.network.BgpPeerGroup(*args, **kwargs)

BGP Peer Group

Parameters:

• name (str) – Name of BGP Peer Group
• enable (bool) – Enable Peer Group (Default: True)
• aggregated_confed_as_path (bool) – the peers understand aggregated confederation AS path
• soft_reset_with_stored_info (bool) – soft reset with stored info
• type (str) – peer group type I(‘ebgp’)/I(‘ibgp’)/I(‘ebgp-confed’)/I(‘ibgp-confed’)
• export_nexthop (str) – export locally resolved nexthop I(‘resolve’)/I(‘use-self’)
• import_nexthop (str) – override nexthop with peer address I(‘original’)/I(‘use-peer’), only with ‘ebgp’
• remove_private_as (bool) – remove private AS when exporting route, only with ‘ebgp’

class panos.network.BgpPolicyAddressPrefix(*args, **kwargs)

BGP Policy Address Prefix with Exact

Parameters:

• name (str) – address prefix
• exact (str) – match exact prefix length

class panos.network.BgpPolicyAdvertiseFilter(*args, **kwargs)

BGP Policy Advertise Filter

Parameters:

• name (str) – Name of filter
• enable (bool) – Enable rule.
• match_afi (str) – Address Family Identifier * ip * ipv6
• match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
• match_route_table (str) – Route table to match rule * unicast * multicast * both
• match_nexthop (list) – Next-hop attributes
• match_from_peer (list) – Filter by peer that sent this route
• match_med (int) – Multi-Exit Discriminator
• match_as_path_regex (str) – AS-path regular expression
• match_community_regex (str) – Community AS-path regular expression
• match_extended_community_regex (str) – Extended Community AS-path regular expression

class panos.network.BgpPolicyAggregationAddress(*args, **kwargs)

BGP Policy Aggregation Address

Parameters:

• name (str) – Sddress prefix
• enable (bool) – Enable aggregation for this prefix
• prefix (str) – Aggregating address prefix
• summary (bool) – Summarize route
• as_set (bool) – Generate AS-set attribute
• attr_local_preference (int) – New local preference value
• attr_med (int) – New MED value
• attr_weight (int) – New weight value
• attr_nexthop (str) – Nexthop address
• attr_origin (str) – New route origin * igp * egp * incomplete
• attr_as_path_limit (int) – Add AS path limit attribute if it does not exist
• attr_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend
• attr_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when attr_as_path_type is ‘prepend’ or ‘remove-and-prepend’
• attr_community_type (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
• attr_community_argument (str) – Argument to the attr community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL
• attr_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
• attr_extended_community_argument (str) – Argument to the attr extended community value if needed

class panos.network.BgpPolicyConditionalAdvertisement(*args, **kwargs)

BGP Conditional Advertisement Policy

Parameters:

• name (str) – Name of Conditional Advertisement Policy
• enable (bool) – enable prefix-based outbound route filtering.
• used_by (list) – peer-groups that use this rule.

class panos.network.BgpPolicyExportRule(*args, **kwargs)

BGP Policy Export Rule

Parameters:

• name (str) – The name
• enable (bool) – Enable rule.
• match_afi (str) – Address Family Identifier * ip * ipv6
• match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
• match_route_table (str) – Route table to match rule * unicast * multicast * both
• match_nexthop (list) – Next-hop attributes
• match_from_peer (list) – Filter by peer that sent this route
• match_med (int) – Multi-Exit Discriminator
• match_as_path_regex (str) – AS-path regular expression
• match_community_regex (str) – AS-path regular expression
• match_extended_community_regex (str) – AS-path regular expression
• used_by (list) – Peer-groups that use this rule.
• action (str) – The action
• action_local_preference (int) – New local preference value
• action_med (int) – New MED value
• action_nexthop (str) – Nexthop address
• action_origin (str) – New route origin * igp * egp * incomplete
• action_as_path_limit (int) – Add AS path limit attribute if it does not exist
• action_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend
• action_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when action_as_path_type is ‘prepend’ or ‘remove-and-prepend’
• action_community_type (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
• action_community_argument (str) – Argument to the action community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL
• action_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
• action_extended_community_argument (str) – Argument to the action extended community value if needed

class panos.network.BgpPolicyFilter(*args, **kwargs)

Base class for BGP Policy Match Filters

Do not instantiate this class, use one of:

• BgpPolicyImportRule
• BgpPolicyExportRule

Parameters:

• name (str) – Name of filter
• enable (bool) – Enable rule.
• match_afi (str) – Address Family Identifier * ip * ipv6
• match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
• match_route_table (str) – Route table to match rule * unicast * multicast * both
• match_nexthop (list) – Next-hop attributes
• match_from_peer (list) – Filter by peer that sent this route
• match_med (int) – Multi-Exit Discriminator
• match_as_path_regex (str) – AS-path regular expression
• match_community_regex (str) – Community AS-path regular expression
• match_extended_community_regex (str) – Extended Community AS-path regular expression

class panos.network.BgpPolicyImportRule(*args, **kwargs)

BGP Policy Import Rule

Parameters:

• name (str) – The name
• enable (bool) – Enable rule.
• match_afi (str) – Address Family Identifier * ip * ipv6
• match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
• match_route_table (str) – Route table to match rule * unicast * multicast * both
• match_nexthop (list) – Next-hop attributes
• match_from_peer (list) – Filter by peer that sent this route
• match_med (int) – Multi-Exit Discriminator
• match_as_path_regex (str) – AS-path regular expression
• match_community_regex (str) – AS-path regular expression
• match_extended_community_regex (str) – AS-path regular expression
• used_by (list) – Peer-groups that use this rule.
• action (str) – The action
• action_local_preference (int) – New local preference value
• action_med (int) – New MED value
• action_nexthop (str) – Nexthop address
• action_origin (str) – New route origin * igp * egp * incomplete
• action_as_path_limit (int) – Add AS path limit attribute if it does not exist
• action_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend
• action_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when action_as_path_type is ‘prepend’ or ‘remove-and-prepend’
• action_community_type (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
• action_community_argument (str) – Argument to the action community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL
• action_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
• action_extended_community_argument (str) – Argument to the action extended community value if needed
• action_dampening (str) – Route flap dampening profile
• action_weight (int) – New weight value

class panos.network.BgpPolicyNonExistFilter(*args, **kwargs)

BGP Policy Non-Exist Filter

Parameters:

• name (str) – Name of filter
• enable (bool) – Enable rule.
• match_afi (str) – Address Family Identifier * ip * ipv6
• match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
• match_route_table (str) – Route table to match rule * unicast * multicast * both
• match_nexthop (list) – Next-hop attributes
• match_from_peer (list) – Filter by peer that sent this route
• match_med (int) – Multi-Exit Discriminator
• match_as_path_regex (str) – AS-path regular expression
• match_community_regex (str) – Community AS-path regular expression
• match_extended_community_regex (str) – Extended Community AS-path regular expression

class panos.network.BgpPolicyRule(*args, **kwargs)

Base class for BGP Policy Import/Export Rules

Do not instantiate this class, use one of:

• BgpPolicyImportRule
• BgpPolicyExportRule

Parameters:

• name (str) – The name
• enable (bool) – Enable rule.
• match_afi (str) – Address Family Identifier * ip * ipv6
• match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
• match_route_table (str) – Route table to match rule * unicast * multicast * both
• match_nexthop (list) – Next-hop attributes
• match_from_peer (list) – Filter by peer that sent this route
• match_med (int) – Multi-Exit Discriminator
• match_as_path_regex (str) – AS-path regular expression
• match_community_regex (str) – AS-path regular expression
• match_extended_community_regex (str) – AS-path regular expression
• used_by (list) – Peer-groups that use this rule.
• action (str) – The action
• action_local_preference (int) – New local preference value
• action_med (int) – New MED value
• action_nexthop (str) – Nexthop address
• action_origin (str) – New route origin * igp * egp * incomplete
• action_as_path_limit (int) – Add AS path limit attribute if it does not exist
• action_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend
• action_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when action_as_path_type is ‘prepend’ or ‘remove-and-prepend’
• action_community (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
• action_community_argument (str) – Argument to the action community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL
• action_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite
• action_extended_community_argument (str) – Argument to the action extended community value if needed

class panos.network.BgpPolicySuppressFilter(*args, **kwargs)

BGP Policy Suppress Filter

Parameters:

• name (str) – Name of filter
• enable (bool) – Enable rule.
• match_afi (str) – Address Family Identifier * ip * ipv6
• match_safi (str) – Subsequent Address Family Identifier * ip * ipv6
• match_route_table (str) – Route table to match rule * unicast * multicast * both
• match_nexthop (list) – Next-hop attributes
• match_from_peer (list) – Filter by peer that sent this route
• match_med (int) – Multi-Exit Discriminator
• match_as_path_regex (str) – AS-path regular expression
• match_community_regex (str) – Community AS-path regular expression
• match_extended_community_regex (str) – Extended Community AS-path regular expression

class panos.network.BgpRedistributionRule(*args, **kwargs)

BGP Policy Address Prefix with Exact

Parameters:

• name (str) – Redistribution profile name
• enable (bool) – Enable redistribution rule.
• address_family_identifier (str) – Select redistribution profile type * ipv4 * ipv6
• route_table (str) – Select destination SAFI for redistribution * unicast * multicast * both
• set_origin (str) – Add the ORIGIN path attribute * igp * egp * incomplete
• set_med (int) – Add the MULTI_EXIT_DISC path attribute
• set_local_preference (int) – Add the LOCAL_PREF path attribute
• set_as_path_limit (int) – Add the AS_PATHLIMIT path attribute
• set_community (list) – Add the COMMUNITY path attribute
• set_extended_community (list) – Add the EXTENDED COMMUNITY path attribute
• metric (int) – Metric value

class panos.network.BgpRoutingOptions(*args, **kwargs)

BGP Routing Options

Parameters:

• as_format (str) – AS format (‘2-byte’/’4-byte’)
• always_compare_med (bool) – always compare MEDs
• deterministic_med_comparison (bool) – deterministic MEDs comparison
• default_local_preference (int) – default local preference
• graceful_restart_enable (bool) – enable graceful restart
• gr_stale_route_time (int) – time to remove stale routes after peer restart (in seconds)
• gr_local_restart_time (int) – local restart time to advertise to peer (in seconds)
• gr_max_peer_restart_time (int) – maximum of peer restart time accepted (in seconds)
• reflector_cluster_id (str) – route reflector cluster ID
• confederation_member_as (str) – 32-bit value in decimal or dot decimal AS.AS format
• aggregate_med (bool) – aggregate route only if they have same MED attributes

class panos.network.Dhcp(*args, **kwargs)

DHCP config.

Parameters:name (str) – Interface name.

class panos.network.DhcpRelay(*args, **kwargs)

DHCP relay config.

Parameters:

• name (str) – The (interface) name
• enabled (bool) – Enabled.
• servers (list) – Relay server IP addresses.
• ipv6_enabled (bool) – Enable DHCPv6 relay.

class panos.network.DhcpRelayIpv6Address(*args, **kwargs)

DHCP relay IPv6 address.

Parameters:

• name (str) – DHCP server IPv6 address.
• interface (str) – Outgoing interface when using an IPv6 multicast address for the DHCPv6 server.

class panos.network.EthernetInterface(*args, **kwargs)

Ethernet interface (eg. ‘ethernet1/1’)

Parameters:

• name (str) – Name of interface (eg. ‘ethernet1/1’)
• mode (str) –

  Mode of the interface:

  • layer3
  • layer2
  • virtual-wire
  • tap
  • ha
  • decrypt-mirror
  • aggregate-group

  Not all modes apply to all interface types (Default: layer3)

• ip (tuple) – Layer3: Interface IPv4 addresses
• ipv6_enabled (bool) – Layer3: IPv6 Enabled (requires IPv6Address child object)
• management_profile (ManagementProfile) – Layer3: Interface Management Profile
• mtu (int) – Layer3: MTU for interface
• adjust_tcp_mss (bool) – Layer3: Adjust TCP MSS
• netflow_profile (str) – Netflow profile
• lldp_enabled (bool) – Layer2: Enable LLDP
• lldp_profile (str) – Layer2: Reference to an lldp profile
• netflow_profile_l2 (str) – Netflow profile
• link_speed (str) – Link speed: eg. auto, 10, 100, 1000
• link_duplex (str) – Link duplex: eg. auto, full, half
• link_state (str) – Link state: eg. auto, up, down
• aggregate_group (str) – Aggregate interface (eg. ae1)
• comment (str) – The interface’s comment
• ipv4_mss_adjust (int) – (PAN-OS 7.1+) TCP MSS adjustment for ipv4
• ipv6_mss_adjust (int) – (PAN-OS 7.1+) TCP MSS adjustment for ipv6
• enable_dhcp (bool) – Enable DHCP on this interface
• create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server
• dhcp_default_route_metric (int) – Metric for the DHCP default route
• enable_untagged_subinterface (bool) – (PAN-OS 7.1+) Enable untagged subinterface
• decrypt_forward (bool) – (PAN-OS 8.1+) Decrypt forward.
• rx_policing_rate (int) – (PAN-OS 8.1+) Receive policing rate
• tx_policing_rate (int) – (PAN-OS 8.1+) Transmit policing rate
• dhcp_send_hostname_enable (bool) – Enable send firewall or custom hostname to DHCP server
• dhcp_send_hostname_value (string) – Set interface hostname

class panos.network.GreTunnel(*args, **kwargs)

GRE Tunnel configuration.

Note: This is valid for PAN-OS 9.0+

Parameters:

• name – GRE tunnel name.
• interface – Interface to terminate tunnel.
• local_address_type – Type of local address. Can be “ip” (default) or “floating-ip”.
• local_address_value – IP address value.
• peer_address – Peer IP address.
• tunnel_interface – To apply GRE tunnels to tunnel interface.
• ttl (int) – TTL.
• copy_tos (bool) – Copy IP TOS bits from inner packet to GRE packet.
• enable_keep_alive (bool) – Enable tunnel monitoring.
• keep_alive_interval (int) – Interval.
• keep_alive_retry (int) – Retry.
• keep_alive_hold_timer (int) – Hold timer.
• disabled (bool) – Disable the GRE tunnel.

class panos.network.IPv6Address(*args, **kwargs)

IPv6 Address

Can be added to any panos.network.Interface subclass that supports IPv6.

Parameters:

• address (str) – The IPv6 address
• enable_on_interface (bool) – Enabled IPv6 on the interface this object was added to
• prefix (bool) – Use interface ID as host portion
• anycast (bool) – Enable anycast
• advertise_enabled (bool) – Enabled router advertisements
• valid_lifetime (int) – Valid lifetime
• preferred_lifetime (int) – Preferred lifetime
• onlink_flag (bool) –
• auto_config_flag (bool) –

class panos.network.IkeCryptoProfile(*args, **kwargs)

IKE SA proposal.

Parameters:

• name – IKE crypto profile name
• dh_group (string/list) – phase-1 DH group: group1, group2, group5, group14, group19 (7.0+), or group20 (7.0+).
• authentication (string/list) – hashing algorithm: md5, sha1, sha256, sha384, or sha512.
• encryption (string/list) – encryption algorithm: des (7.1+), 3des, aes128 / aes-128-cbc, aes192 / aes-192-cbc, or aes256 / aes-256-cbc. If you need to be able to work with older than 7.0 firewalls, then use set_encryption().
• lifetime_seconds (int) – IKE SA lifetime in seconds
• lifetime_minutes (int) – IKE SA lifetime in minutes
• lifetime_hours (int) – IKE SA lifetime in hours
• lifetime_days (int) – IKE SA lifetime in days
• authentication_multiple (int) – (7.0+) IKEv2 SA reauthentication interval equals authentication_multiple * lifetime; 0 means reauthentication is disabled.

set_encryption(value)

Version agnostic set for encryption.

This object should be connected to a panos.Firewall before invocation.

Valid values include the following:

• des (7.1+)
• 3des
• aes128
• aes-128-cbc
• aes192
• aes-192-cbc
• aes256
• aes-256-cbc

Raises:

• PanDeviceNotSet – if there is no Firewall in the object tree
• ValueError – if value is not one of the above, or you attempt to configure 3des with this object connected to a PANOS 7.0 or earlier firewall.

class panos.network.IkeGateway(*args, **kwargs)

IKE Gateway.

Parameters:

• name – IKE gateway name
• version – (7.0+) ikev1, ikev2, or ikev2-prefered (default: ikev1)
• enable_ipv6 (bool) – (7.0+) enable IPv6
• disabled (bool) – (7.0+) disable this object
• peer_ip_type – ip, dynamic, or fqdn (8.1+) (default: ip)
• peer_ip_value – the IP for peer_ip_type of ‘ip’ or ‘fqdn’
• interface – local gateway end-point
• local_ip_address_type – ip or floating-ip
• local_ip_address – IP address if interface has multiple addresses
• auth_type – pre-shared-key or certificate (default: pre-shared-key)
• pre_shared_key – The string used as pre-shared key
• local_id_type – ipaddr, fqdn, ufqdn, keyid, or dn
• local_id_value – The value for local_id_type
• peer_id_type – ipaddr, fqdn, ufqdn, keyid, or dn
• peer_id_value – The value for peer_id_type
• peer_id_check – exact or wildcard (default: exact)
• local_cert – Local certificate name
• cert_enable_hash_and_url (bool) – (7.0+) Use hash-and-url for local certificate.
• cert_base_url – (7.0+) The host and directory part of URL for local certificates (http only).
• cert_use_management_as_source (bool) – (7.0+) Use management interface IP as source to retrieve http certificates
• cert_permit_payload_mismatch (bool) – Permit peer identification and certificate payload identification mismatch.
• cert_profile – Local certificate name
• cert_enable_strict_validation (bool) – Enable strict validation of peer’s extended key use
• enable_passive_mode (bool) – Enable passive mode (responder only)
• enable_nat_traversal (bool) – Enable NAT traversal
• nat_traversal_keep_alive (int) – sending interval for NAT keep-alive packets (in seconds)
• nat_traversal_enable_udp_checksum (bool) – enable UDP checksum
• enable_fragmentation (bool) – Enable IKE fragmentation
• ikev1_exchange_mode – auto, main, or aggressive
• ikev1_crypto_profile – IKE SA crypto oprofile name
• enable_dead_peer_detection (bool) – enable Dead-Peer-Detection
• dead_peer_detection_interval (int) – sending interval for probing packets (in seconds)
• dead_peer_detection_retry (int) – number of retries before disconnection
• ikev1_send_commit_bit (bool) – Send commit bit
• ikev1_initial_contact (bool) – send initial contact
• ikev2_crypto_profile – (7.0+) IKE SE crypto profile name
• ikev2_cookie_validation (bool) – (7.0+) require cookie
• ikev2_send_peer_id (bool) – (7.0+) send peer ID
• enable_liveness_check (bool) – (7.0+) enable sending empty information liveness check message
• liveness_check_interval (int) – (7.0+) delay interval before sending probing packets (in seconds)

class panos.network.Interface(*args, **kwargs)

Base class for all interfaces

Do not instantiate this object. Use a subclass. Methods in this class are available to all interface subclasses.

Parameters:

• name (str) – Name of the interface
• state (str) – Link state, ‘up’ or ‘down’

full_delete(refresh=False, delete_referencing_objects=False, include_vsys=False)

Delete the interface and all references to the interface

Often when deleting an interface there is an API error because there are still references to the interface from zones, virtual-router, vsys, etc. This method deletes all references to the interface before deleting the interface itself.

Parameters:

• refresh (bool) – Refresh the current state of the device before taking action
• delete_referencing_objects (bool) – Delete the entire object that references this interface

get_counters()

Pull the counters for an interface

Returns:

counter name as key, counter as value, None if interface is

not configured

Return type:dict

refresh_state()

Pull the state of the interface from the firewall

The attribute ‘state’ is populated with the current state from the firewall.

Returns:The current state from the firewall Return type:str

set_virtual_router(virtual_router_name, refresh=False, update=False, running_config=False, return_type='object')

Set the virtual router for this interface

Creates a reference to this interface in the specified virtual router and removes references to this interface from all other virtual routers. The virtual router will be created if it doesn’t exist.

Parameters:

• virtual_router_name (str) – The name of the VirtualRouter or a panos.network.VirtualRouter instance
• refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
• update (bool) – Apply the changes to the device (Default: False)
• running_config – If refresh is True, refresh from the running configuration (Default: False)
• return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the VirtualRouter in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Returns:

The zone for this interface after the operation completes

Return type:

Zone

set_vlan(vlan_name, refresh=False, update=False, running_config=False, return_type='object')

Set the vlan for this interface

Creates a reference to this interface in the specified vlan and removes references to this interface from all other interfaces. The vlan will be created if it doesn’t exist.

Parameters:

• vlan_name (str) – The name of the vlan or a panos.network.Vlan instance
• refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
• update (bool) – Apply the changes to the device (Default: False)
• running_config – If refresh is True, refresh from the running configuration (Default: False)
• return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Vlan in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Raises:

AttributeError – if this class is not allowed to use this function.

Returns:

The VLAN for this interface after the operation completes

Return type:

Vlan

set_zone(zone_name, mode=None, refresh=False, update=False, running_config=False, return_type='object')

Set the zone for this interface

Creates a reference to this interface in the specified zone and removes references to this interface from all other zones. The zone will be created if it doesn’t exist.

Parameters:

• zone_name (str) – The name of the Zone or a panos.network.Zone instance
• mode (str) – The mode of the zone. See panos.network.Zone for possible values
• refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
• update (bool) – Apply the changes to the device (Default: False)
• running_config – If refresh is True, refresh from the running configuration (Default: False)
• return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Zone in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Returns:

The zone for this interface after the operation completes

Return type:

Zone

up()

Link state of interface

Returns:

True if state is ‘up’, False if state is ‘down’,

’unconfigured’ or other

Return type:bool

class panos.network.IpsecCryptoProfile(*args, **kwargs)

IPSec SA proposals.

Parameters:

• name – IPSec crypto profile name
• esp_encryption (string/list) – des, 3des, null, aes128 / aes-128-cbc, aes192 / aes-192-cbc, aes256 / aes-256-cbc, aes-128-gcm (7.0+), or aes-256-gcm (7.0+). If you need to write a script that works older than 7.0 firewalls, then please use set_esp_encryption().
• esp_authentication (string/list) – none, md5, sha1, sha256, sha384, or sha512
• ah_authentication (string/list) – md5, sha1, sha256, sha384, or sha512
• dh_group – no-pfs, group1, group2, group5, group14, group19, or group20
• lifetime_seconds (int) – IPSec SA lifetime in seconds
• lifetime_minutes (int) – IPSec SA lifetime in minutes
• lifetime_hours (int) – IPSec SA lifetime in hours
• lifetime_days (int) – IPSec SA lifetime in days
• lifesize_kb (int) – IPSec SA lifesize in kilobytes (KB)
• lifesize_mb (int) – IPSec SA lifesize in megabytes (MB)
• lifesize_gb (int) – IPSec SA lifesize in gigabytes (GB)
• lifesize_tb (int) – IPSec SA lifesize in terabytes (TB)

set_esp_encryption(value)

Version agnostic set for esp_encryption.

This object should be connected to a panos.Firewall before invocation.

Valid values include the following:

• des
• 3des
• aes128
• aes-128-cbc
• aes192
• aes-192-cbc
• aes256
• aes-256-cbc
• aes-128-gcm (7.0+)
• aes-256-gcm (7.0+)
• null

Parameters:

value (string/list) – values to put in esp_encryption

Raises:

• PanDeviceNotSet – if there is no Firewall in the object tree
• ValueError – if value is not one of the above, or you attempt to configure aes-128-gcm or aes-256-gcm with this object connected to a PANOS 6.1 firewall.

class panos.network.IpsecTunnel(*args, **kwargs)

IPSec Tunnel

A large number of params have prefixes:

• ak: Auto Key
• mk: Manual Key
• gps: GlobalProtect Satellite

Only attach IpsecTunnelIpv4ProxyId or IpsecTunnelIpv4ProxyId objects to this one if you are using type=’auto-key’.

Parameters:

• name – IPSec tunnel name
• tunnel_interface – apply IPSec VPN tunnels to tunnel interface
• ipv6 (bool) – (7.0+) use IPv6 for the IPSec tunnel
• type – auto-key (default), manual-key, or global-protect-satellite
• ak_ike_gateway (string/list) – IKE gateway name
• ak_ipsec_crypto_profile – IPSec crypto profile name
• mk_local_spi – outbound SPI in hex
• mk_interface – interface to terminate tunnel
• mk_remote_spi – inbound SPI in hex
• mk_remote_address – tunnel peer IP address
• mk_local_address_ip – exact IP address if interface has multiple IP addresses
• mk_local_address_floating_ip – floating IP address in HA Active-Active configuration
• mk_protocol – esp or ah
• mk_auth_type – md5, sha1, sha256, sha384, or sha512
• mk_auth_key – the key for the given mk_auth_type
• mk_esp_encryption – des, 3des, aes128 / aes-128-cbc, aes192 / aes-192-cbc, aes256 / aes-256-cbc, or null. The various “aes” options changed in version 7.0 onward. If you need to make a script that is compatible with 6.1 PANOS, then use “set_mk_esp_encryption()”. Passing it either “aes128” or “aes-128-cbc” will have it set the appropriate string for the given version.
• mk_esp_encryption_key – The ESP encryption key for mk_esp_encryption type
• gps_portal_address – GlobalProtect portal address
• gps_prefer_ipv6 (bool) – (8.0+) perfer to register portal in IPv6
• gps_interface – interface to communicate with portal
• gps_interface_ipv4_ip – exact IPv4 IP address if interface has multiple IP addresses
• gps_interface_ipv6_ip – (8.0+) exact IPv6 IP address if interface has multiple IP addresses
• gps_interface_ipv4_floating_ip – (7.0+) floating IPv4 IP address in HA Active-Active configuration
• gps_interface_ipv6_floating_ip – (8.0+) floating IPv6 IP address in HA Active-Active configuration
• gps_publish_connected_routes (bool) – enable publishing of connected and static routes
• gps_publish_routes (str/list) – specify list of routes to publish to GlobalProtect gateway
• gps_local_certificate – GlobalProtect satellite certificate file name
• gps_certificate_profile – profile for authenticating GlobalProtect gateway certificates
• anti_replay (bool) – enable anti-replay check on this tunnel
• copy_tos (bool) – copy IP TOS bits from inner packet to IPSec packet (not recommended)
• copy_flow_label (bool) – (7.0+) copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended)
• enable_tunnel_monitor (bool) – enable tunnel monitoring on this tunnel
• tunnel_monitor_dest_ip – destination IP to send ICMP probe
• tunnel_monitor_proxy_id – (7.0+) which proxy-id (or proxy-id-v6) the monitoring traffic will use
• tunnel_monitor_profile – monitoring action
• disabled (bool) – (7.0+) disable the IPSec tunnel

set_mk_esp_encryption(value)

Version agnostic set for mk_esp_encryption.

This object should be connected to a panos.Firewall before invocation.

Valid values include the following:

• des
• 3des
• aes128
• aes-128-cbc
• aes192
• aes-192-cbc
• aes256
• aes-256-cbc
• null

Raises:

• PanDeviceNotSet – if there is no Firewall in the object tree
• ValueError – if value is not one of the above

class panos.network.IpsecTunnelIpv4ProxyId(*args, **kwargs)

IKEv1 proxy-id for auto-key IPSec tunnels.

Parameters:

• name – The proxy ID
• local – IP subnet or IP address represents local network
• remote – IP subnet or IP address represents remote network
• any_protocol (bool) – Any protocol
• number_protocol (int) – Numbered Protocol: protocol number (1-254)
• tcp_local_port (int) – Protocol TCP: local port
• tcp_remote_port (int) – Protocol TCP: remote port
• udp_local_port (int) – Protocol UDP: local port
• udp_remote_port (int) – Protocol UDP: remote port

class panos.network.IpsecTunnelIpv6ProxyId(*args, **kwargs)

IKEv1 IPv6 proxy-id for auto-key IPSec tunnels.

NOTE: Only supported in 7.0 and forward.

Parameters:

• name – The proxy ID
• local – IP subnet or IP address represents local network
• remote – IP subnet or IP address represents remote network
• any_protocol (bool) – Any protocol
• number_protocol (int) – Numbered Protocol: protocol number (1-254)
• tcp_local_port (int) – Protocol TCP: local port
• tcp_remote_port (int) – Protocol TCP: remote port
• udp_local_port (int) – Protocol UDP: local port
• udp_remote_port (int) – Protocol UDP: remote port

class panos.network.Layer2Subinterface(*args, **kwargs)

Ethernet or Aggregate Subinterface in Layer 2 mode.

Parameters:

• name (str) – The name
• tag (int) – Tag for the interface, aka vlan id
• lldp_enabled (bool) – Enable LLDP
• lldp_profile (str) – Reference to an lldp profile
• netflow_profile_l2 (str) – Netflow profile
• comment (str) – The interface’s comment

class panos.network.Layer3Subinterface(*args, **kwargs)

Ethernet or Aggregate Subinterface in Layer 3 mode.

Parameters:

• name (str) – The name
• tag (int) – Tag for the interface, aka vlan id
• ip (tuple) – Interface IPv4 addresses
• ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)
• management_profile (ManagementProfile) – Interface Management Profile
• mtu (int) – MTU for interface
• adjust_tcp_mss (bool) – Adjust TCP MSS
• netflow_profile (str) – Netflow profile
• comment (str) – The interface’s comment
• ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4
• ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6
• enable_dhcp (bool) – Enable DHCP on this interface
• create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server
• dhcp_default_route_metric (int) – Metric for the DHCP default route
• decrypt_forward (bool) – (PAN-OS 8.1+) Decrypt forward.

class panos.network.LoopbackInterface(*args, **kwargs)

Loopback interface

Parameters:

• name (str) – The name
• ip (tuple) – Interface IPv4 addresses
• ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)
• management_profile (ManagementProfile) – Interface Management Profile
• mtu (int) – MTU for interface
• adjust_tcp_mss (bool) – Adjust TCP MSS
• netflow_profile (str) – Netflow profile
• comment (str) – The interface’s comment
• ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4
• ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6

class panos.network.ManagementProfile(*args, **kwargs)

Interface management provile.

Add to any of the following interfaces:

• Layer3Subinterface
• EthernetInterface
• AggregateInterface
• VlanInterface
• LoopbackInterface
• TunnelInterface

Parameters:

• name (str) – The name
• ping (bool) – Enable ping
• telnet (bool) – Enable telnet
• ssh (bool) – Enable ssh
• http (bool) – Enable http
• http_ocsp (bool) – Enable http-ocsp
• https (bool) – Enable https
• snmp (bool) – Enable snmp
• response_pages (bool) – Enable response pages
• userid_service (bool) – Enable userid service
• userid_syslog_listener_ssl (bool) – Enable userid syslog listener ssl
• userid_syslog_listener_udp (bool) – Enable userid syslog listener udp
• permitted_ip (list) – The list of permitted IP addresses

class panos.network.Ospf(*args, **kwargs)

OSPF Process

Parameters:

• enable (bool) – Enable OSPF (Default: True)
• router_id (str) – Router ID in IP format (eg. 1.1.1.1)
• reject_default_route (bool) – Reject default route
• allow_redist_default_route (bool) – Allow redistribution in default route
• rfc1583 (bool) – rfc1583
• spf_calculation_delay (int) – SPF calculation delay
• lsa_interval (int) – LSA interval
• graceful_restart_enable (bool) – Enable OSPF graceful restart
• gr_grace_period (int) – Graceful restart period
• gr_helper_enable (bool) – Graceful restart helper enable
• gr_strict_lsa_checking (bool) – Graceful restart strict lsa checking
• gr_max_neighbor_restart_time (int) – Graceful restart neighbor restart time

class panos.network.OspfArea(*args, **kwargs)

OSPF Area

Parameters:

• name (str) – Area in IP format
• type (str) – Type of area, ‘normal’, ‘stub’, or ‘nssa’ (Default: normal)
• accept_summary (bool) – Accept summary route - stub and nssa only
• default_route_advertise (str) – ‘disable’ or ‘advertise’ (Default: disable) - stub and nssa only
• default_route_advertise_metric (int) – Default route metric - stub and nssa only
• default_route_advertise_type (str) – ‘ext-1’ or ‘ext2’ (Default: ext-2 - nssa only

class panos.network.OspfAreaInterface(*args, **kwargs)

OSPF Area Interface

Parameters:

• name (str) – Name of the interface (interface must exist)
• enable (bool) – OSPF enabled on this interface
• passive (bool) – Passive mode
• link_type (str) – Link type, ‘broadcast’, ‘p2p’, or ‘p2mp’ (Default: broadcast)
• metric (int) – Metric
• priority (int) – Priority id
• hello_interval (int) – Hello interval
• dead_counts (int) – Dead counts
• retransmit_interval (int) – Retransmit interval
• transit_delay (int) – Transit delay
• gr_delay (int) – Graceful restart delay
• authentication (str) – Reference to a panos.network.OspfAuthProfile

class panos.network.OspfAuthProfile(*args, **kwargs)

OSPF Authentication Profile

Parameters:

• name (str) – Name of Auth Profile
• type (str) – ‘password’ or ‘md5’
• password (str) – The password if type is set to ‘password’. If type is set to ‘md5’, add a panos.network.OspfAuthProfileMd5

class panos.network.OspfAuthProfileMd5(*args, **kwargs)

OSPF Authentication Profile

Parameters:

• keyid (int) – Identifier for key
• key (str) – The authentication key
• preferred (bool) – This key is preferred

class panos.network.OspfExportRules(*args, **kwargs)

OSPF Export Rules

Parameters:

• name (str) – IP subnet or panos.network.RedistributionProfile
• new_path_type (str) – New path type, ‘ext-1’ or ‘ext-2’ (Default: ext-2)
• new_tag (str) – New tag (int or IP format)
• metric (int) – Metric

class panos.network.OspfNeighbor(*args, **kwargs)

OSPF Neighbor

Parameters:

• name (str) – IP of neighbor
• metric (int) – Metric

class panos.network.OspfNssaExternalRange(*args, **kwargs)

OSPF NSSA External Range

Parameters:

• name (str) – IP network with prefix
• mode (str) – ‘advertise’ or ‘suppress’ (Default: advertise)

class panos.network.OspfRange(*args, **kwargs)

OSPF Range

Parameters:

• name (str) – IP network with prefix
• mode (str) – ‘advertise’ or ‘suppress’ (Default: advertise)

class panos.network.PathMonitorDestination(*args, **kwargs)

PathMonitorDestination Static Route

Parameters:

• name (str) – Name of Path Monitor Destination
• enable (bool) – Enable Path Monitor Destination
• source (str) – Source ip of interface
• destination (str) – Destination ip
• interval (int) – Ping Interval (sec) (Default: 3)
• count (int) – Ping count (Default: 5)

class panos.network.PhysicalInterface(*args, **kwargs)

Absract base class for Ethernet and Aggregate Interfaces

Do not instantiate this object. Use a subclass.

set_zone(zone_name, mode=None, refresh=False, update=False, running_config=False, return_type='object')

Set the zone for this interface

Creates a reference to this interface in the specified zone and removes references to this interface from all other zones. The zone will be created if it doesn’t exist.

Parameters:

• zone_name (str) – The name of the Zone or a panos.network.Zone instance
• mode (str) – The mode of the zone. See panos.network.Zone for possible values
• refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
• update (bool) – Apply the changes to the device (Default: False)
• running_config – If refresh is True, refresh from the running configuration (Default: False)
• return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Zone in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Returns:

The zone for this interface after the operation completes

Return type:

Zone

class panos.network.RedistributionProfile(*args, **kwargs)

Redistribution Profile

Parameters:

• name (str) – Name of profile
• priority (int) – Priority id
• action (str) – ‘no-redist’ or ‘redist’
• filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’
• filter_interface (tuple) – Filter interface
• filter_destination (tuple) – Filter destination
• filter_nexthop (tuple) – Filter nexthop
• ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2
• ospf_filter_area (tuple) – OSPF filter on area
• ospf_filter_tag (tuple) – OSPF filter on tag
• bgp_filter_community (tuple) – BGP filter on community
• bgp_filter_extended_community (tuple) – BGP filter on extended community

class panos.network.RedistributionProfileBase(*args, **kwargs)

Redistribution Profile

Parameters:

• name (str) – Name of profile
• priority (int) – Priority id
• action (str) – ‘no-redist’ or ‘redist’
• filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’
• filter_interface (tuple) – Filter interface
• filter_destination (tuple) – Filter destination
• filter_nexthop (tuple) – Filter nexthop
• ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2
• ospf_filter_area (tuple) – OSPF filter on area
• ospf_filter_tag (tuple) – OSPF filter on tag
• bgp_filter_community (tuple) – BGP filter on community
• bgp_filter_extended_community (tuple) – BGP filter on extended community

class panos.network.RedistributionProfileIPv6(*args, **kwargs)

Redistribution Profile

Parameters:

• name (str) – Name of profile
• priority (int) – Priority id
• action (str) – ‘no-redist’ or ‘redist’
• filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’
• filter_interface (tuple) – Filter interface
• filter_destination (tuple) – Filter destination
• filter_nexthop (tuple) – Filter nexthop
• ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2
• ospf_filter_area (tuple) – OSPF filter on area
• ospf_filter_tag (tuple) – OSPF filter on tag
• bgp_filter_community (tuple) – BGP filter on community
• bgp_filter_extended_community (tuple) – BGP filter on extended community

class panos.network.Rip(*args, **kwargs)

Add to a panos.network.VirtualRouter instance.

Parameters:

• enable (bool) – Enable RIP
• reject_default_route (bool) – Reject default route
• allow_redist_default_route (bool) – Allow Redistribute Default Route
• delete_intervals (int) – Delete Intervals
• expire_intervals (int) – Expire Intervals
• interval_seconds (int) – Interval Seconds (sec)
• update_intervals (int) – Update Intervals
• global_bfd_profile (str) – Global BFD profile

class panos.network.RipAuthProfile(*args, **kwargs)

Rip Authentication Profile

Parameters:

• name (str) – Name of Auth Profile
• auth_type (str) – ‘password’ or ‘md5’
• password (str) – The password if auth_type is set to ‘password’. If auth_type is set to ‘md5’, add a panos.network.RipAuthProfileMd5

class panos.network.RipAuthProfileMd5(*args, **kwargs)

Rip Authentication Profile

Parameters:

• keyid (int) – Identifier for key
• key (str) – The authentication key
• preferred (bool) – This key is preferred

class panos.network.RipExportRule(*args, **kwargs)

Rip Export Rules

Parameters:

• name (str) – IP subnet or panos.network.RedistributionProfile
• metric (int) – Metric

class panos.network.RipInterface(*args, **kwargs)

Rip Interface

Add to a panos.network.Rip instance.

Parameters:

• name (str) – Interface name
• enable (bool) – Enable
• advertise_default_route – Advertise default route * advertise * disable
• metric (int) – Default route metric. Requires {advertise_default_route: “advertise”}
• auth_profile (str) – Auth profile name
• mode (str) – Mode of RipInterface * normal (default) * passive * send-only

class panos.network.StaticMac(*args, **kwargs)

Static MAC address for a Vlan

Can be added to a panos.network.Vlan object

Parameters:

• mac (str) – The MAC address
• interface (str) – Name of an interface

class panos.network.StaticRoute(*args, **kwargs)

Static Route

Add to a panos.network.VirtualRouter instance.

Parameters:

• name (str) – The name
• destination (str) – Destination network
• nexthop_type (str) – ip-address, discard, or next-vr
• nexthop (str) – Next hop IP address or Next VR Name
• interface (str) – Next hop interface
• admin_dist (str) – Administrative distance
• metric (int) – Metric (Default: 10)
• enable_path_monitor (bool) – Enable Path Monitor
• failure_condition (str) – Path Monitor failure condition set ‘any’ or ‘all’
• preemptive_hold_time (int) – Path Monitor Preemptive Hold Time in minutes

class panos.network.StaticRouteV6(*args, **kwargs)

IPV6 Static Route

Add to a panos.network.VirtualRouter instance.

Parameters:

• name (str) – The name
• destination (str) – Destination network
• nexthop_type (str) – ip-address or discard
• nexthop (str) – Next hop IP address
• interface (str) – Next hop interface
• admin_dist (str) – Administrative distance
• metric (int) – Metric (Default: 10)
• enable_path_monitor (bool) – Enable Path Monitor
• failure_condition (str) – Path Monitor failure condition set ‘any’ or ‘all’
• preemptive_hold_time (int) – Path Monitor Preemptive Hold Time in minutes

class panos.network.Subinterface(*args, **kwargs)

Subinterface class

Do not instantiate this object. Use a subclass.

set_name()

Create a name appropriate for a subinterface if it isn’t already

class panos.network.TunnelInterface(*args, **kwargs)

Tunnel interface

Parameters:

• name (str) – The name
• ip (tuple) – Interface IPv4 addresses
• ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)
• management_profile (ManagementProfile) – Interface Management Profile
• mtu (int) – MTU for interface
• netflow_profile (str) – Netflow profile
• comment (str) – The interface’s comment

class panos.network.VirtualRouter(*args, **kwargs)

Virtual router

Parameters:

• name (str) – Name of virtual router (Default: “default”)
• interface (list) – List of interface names
• ad_static (int) – Administrative distance for this protocol
• ad_static_ipv6 (int) – Administrative distance for this protocol
• ad_ospf_int (int) – Administrative distance for this protocol
• ad_ospf_ext (int) – Administrative distance for this protocol
• ad_ospfv3_int (int) – Administrative distance for this protocol
• ad_ospfv3_ext (int) – Administrative distance for this protocol
• ad_ibgp (int) – Administrative distance for this protocol
• ad_ebgp (int) – Administrative distance for this protocol
• ad_rip (int) – Administrative distance for this protocol

class panos.network.VirtualWire(*args, **kwargs)

Virtual wires (vwire)

Parameters:

• name (str) – The vwire name
• tag (int) – Tag for the interface, aka vlan id
• interface1 (str) – The first interface to use
• interface2 (str) – The second interface to use
• multicast (bool) – Enable multicast firewalling or not
• pass_through (bool) – Enable link state pass through or not

class panos.network.Vlan(*args, **kwargs)

Parameters:

• name (str) – The name
• interface (list) – List of interface names
• virtual_interface (VlanInterface) – The layer3 vlan interface for this vlan

class panos.network.VlanInterface(*args, **kwargs)

Vlan interface

Parameters:

• name (str) – Interface name
• ip (tuple) – Interface IPv4 addresses
• ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)
• management_profile (ManagementProfile) – Interface Management Profile
• mtu (int) – MTU for interface
• adjust_tcp_mss (bool) – Adjust TCP MSS
• netflow_profile (str) – Netflow profile
• comment (str) – The interface’s comment
• ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4
• ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6
• enable_dhcp (bool) – Enable DHCP on this interface
• create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server
• dhcp_default_route_metric (int) – Metric for the DHCP default route

set_vlan_interface(vlan_name, refresh=False, update=False, running_config=False, return_type='object')

Sets the VLAN’s VLAN interface to this VLAN interface

Creates a reference to this interface in the specified vlan and removes references to this interface from all other VLANs. The vlan will be created if it doesn’t exist.

Parameters:

• vlan_name (str) – The name of the vlan or a panos.network.Vlan instance
• refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)
• update (bool) – Apply the changes to the device (Default: False)
• running_config – If refresh is True, refresh from the running configuration (Default: False)
• return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Vlan in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Returns:

The VLAN for this interface after the operation completes

Return type:

Vlan

class panos.network.Zone(*args, **kwargs)

Security zone

Parameters:

• name (str) – Name of the zone
• mode (str) – The mode of the security zone. Must match the mode of the interface. Possible values: tap, virtual-wire, layer2, layer3, external
• interface (list) – List of interface names or instantiated subclasses of panos.network.Interface.
• zone_profile (str) – Zone protection profile
• log_setting (str) – Log forwarding setting
• enable_user_identification (bool) – If user identification is enabled
• include_acl (list/str) – User identification ACL include list
• exclude_acl (list/str) – User identification ACL exclude list
• enable_packet_buffer_protection (bool) – (PAN-OS 8.0+) Enable packet buffer protection
• enable_device_identification (bool) – (PAN-OS 10.0+) Enable device identification
• device_include_acl (list) – (PAN-OS 10.0+) Device include ACLs list
• device_exclude_acl (list) – (PAN-OS 10.0+) Device exclude ACLs list

panos.network.interface(name, *args, **kwargs)

Interface object factory

Creates an interface object of type determined by the name of the interface.

Parameters:

• name (str) – Name of the interface to create (eg. ethernet1/1.5)
• mode (str) – Mode of the interface. Possible values: layer3, layer2, virtual-wire, tap, ha, aggregate-group. Default: None

Keyword Arguments:  

tag (int) – Tag for the interface, aka vlan id

Returns:

An instantiated subclass of panos.network.Interface

Return type:

Interface