Module: network

Inheritance diagram

Inheritance diagram of panos.network

Configuration tree diagram

digraph configtree { graph [rankdir=LR, fontsize=10, margin=0.001]; node [shape=box, fontsize=10, height=0.001, margin=0.1, ordering=out]; AggregateInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.AggregateInterface" target="_top"]; Arp [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Arp" target="_top"]; AggregateInterface -> Arp; IPv6Address [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.IPv6Address" target="_top"]; AggregateInterface -> IPv6Address; Layer2Subinterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Layer2Subinterface" target="_top"]; AggregateInterface -> Layer2Subinterface; Layer3Subinterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Layer3Subinterface" target="_top"]; AggregateInterface -> Layer3Subinterface; Bgp [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Bgp" target="_top"]; BgpAuthProfile [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpAuthProfile" target="_top"]; Bgp -> BgpAuthProfile; BgpDampeningProfile [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpDampeningProfile" target="_top"]; Bgp -> BgpDampeningProfile; BgpPeerGroup [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPeerGroup" target="_top"]; Bgp -> BgpPeerGroup; BgpPolicyAggregationAddress [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPolicyAggregationAddress" target="_top"]; Bgp -> BgpPolicyAggregationAddress; BgpPolicyConditionalAdvertisement [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPolicyConditionalAdvertisement" target="_top"]; Bgp -> BgpPolicyConditionalAdvertisement; BgpPolicyExportRule [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPolicyExportRule" target="_top"]; Bgp -> BgpPolicyExportRule; BgpPolicyImportRule [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPolicyImportRule" target="_top"]; Bgp -> BgpPolicyImportRule; BgpRedistributionRule [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpRedistributionRule" target="_top"]; Bgp -> BgpRedistributionRule; BgpRoutingOptions [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpRoutingOptions" target="_top"]; Bgp -> BgpRoutingOptions; BgpPeer [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPeer" target="_top"]; BgpPeerGroup -> BgpPeer; BgpPolicyAdvertiseFilter [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPolicyAdvertiseFilter" target="_top"]; BgpPolicyAddressPrefix [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPolicyAddressPrefix" target="_top"]; BgpPolicyAdvertiseFilter -> BgpPolicyAddressPrefix; BgpPolicyAggregationAddress -> BgpPolicyAdvertiseFilter; BgpPolicySuppressFilter [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPolicySuppressFilter" target="_top"]; BgpPolicyAggregationAddress -> BgpPolicySuppressFilter; BgpPolicyConditionalAdvertisement -> BgpPolicyAdvertiseFilter; BgpPolicyNonExistFilter [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpPolicyNonExistFilter" target="_top"]; BgpPolicyConditionalAdvertisement -> BgpPolicyNonExistFilter; BgpPolicyExportRule -> BgpPolicyAddressPrefix; BgpPolicyImportRule -> BgpPolicyAddressPrefix; BgpPolicyNonExistFilter -> BgpPolicyAddressPrefix; BgpPolicySuppressFilter -> BgpPolicyAddressPrefix; BgpOutboundRouteFilter [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.BgpOutboundRouteFilter" target="_top"]; BgpRoutingOptions -> BgpOutboundRouteFilter; Dhcp [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Dhcp" target="_top"]; DhcpRelay [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.DhcpRelay" target="_top"]; Dhcp -> DhcpRelay; DhcpRelayIpv6Address [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.DhcpRelayIpv6Address" target="_top"]; DhcpRelay -> DhcpRelayIpv6Address; EthernetInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.EthernetInterface" target="_top"]; EthernetInterface -> Arp; EthernetInterface -> IPv6Address; EthernetInterface -> Layer2Subinterface; EthernetInterface -> Layer3Subinterface; IpsecTunnel [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.IpsecTunnel" target="_top"]; IpsecTunnelIpv4ProxyId [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.IpsecTunnelIpv4ProxyId" target="_top"]; IpsecTunnel -> IpsecTunnelIpv4ProxyId; IpsecTunnelIpv6ProxyId [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.IpsecTunnelIpv6ProxyId" target="_top"]; IpsecTunnel -> IpsecTunnelIpv6ProxyId; Layer3Subinterface -> Arp; Layer3Subinterface -> IPv6Address; LogicalRouter [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.LogicalRouter" target="_top"]; Vrf [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Vrf" target="_top"]; LogicalRouter -> Vrf; LoopbackInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.LoopbackInterface" target="_top"]; LoopbackInterface -> IPv6Address; Ospf [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Ospf" target="_top"]; OspfArea [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.OspfArea" target="_top"]; Ospf -> OspfArea; OspfAuthProfile [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.OspfAuthProfile" target="_top"]; Ospf -> OspfAuthProfile; OspfExportRules [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.OspfExportRules" target="_top"]; Ospf -> OspfExportRules; OspfAreaInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.OspfAreaInterface" target="_top"]; OspfArea -> OspfAreaInterface; OspfNssaExternalRange [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.OspfNssaExternalRange" target="_top"]; OspfArea -> OspfNssaExternalRange; OspfRange [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.OspfRange" target="_top"]; OspfArea -> OspfRange; OspfNeighbor [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.OspfNeighbor" target="_top"]; OspfAreaInterface -> OspfNeighbor; OspfAuthProfileMd5 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.OspfAuthProfileMd5" target="_top"]; OspfAuthProfile -> OspfAuthProfileMd5; Rip [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Rip" target="_top"]; RipAuthProfile [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RipAuthProfile" target="_top"]; Rip -> RipAuthProfile; RipExportRule [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RipExportRule" target="_top"]; Rip -> RipExportRule; RipInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RipInterface" target="_top"]; Rip -> RipInterface; RipAuthProfileMd5 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RipAuthProfileMd5" target="_top"]; RipAuthProfile -> RipAuthProfileMd5; RoutingProfileFilterAccessList [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterAccessList" target="_top"]; RoutingProfileFilterAccessListEntryIpv4 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterAccessListEntryIpv4" target="_top"]; RoutingProfileFilterAccessList -> RoutingProfileFilterAccessListEntryIpv4; RoutingProfileFilterAccessListEntryIpv6 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterAccessListEntryIpv6" target="_top"]; RoutingProfileFilterAccessList -> RoutingProfileFilterAccessListEntryIpv6; RoutingProfileFilterAsPathAccessList [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterAsPathAccessList" target="_top"]; RoutingProfileFilterAsPathAccessListEntry [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterAsPathAccessListEntry" target="_top"]; RoutingProfileFilterAsPathAccessList -> RoutingProfileFilterAsPathAccessListEntry; RoutingProfileFilterCommunityList [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterCommunityList" target="_top"]; RoutingProfileFilterCommunityListEntryExtended [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterCommunityListEntryExtended" target="_top"]; RoutingProfileFilterCommunityList -> RoutingProfileFilterCommunityListEntryExtended; RoutingProfileFilterCommunityListEntryLarge [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterCommunityListEntryLarge" target="_top"]; RoutingProfileFilterCommunityList -> RoutingProfileFilterCommunityListEntryLarge; RoutingProfileFilterCommunityListEntryRegular [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterCommunityListEntryRegular" target="_top"]; RoutingProfileFilterCommunityList -> RoutingProfileFilterCommunityListEntryRegular; RoutingProfileFilterPrefixList [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterPrefixList" target="_top"]; RoutingProfileFilterPrefixListEntryIpv4 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterPrefixListEntryIpv4" target="_top"]; RoutingProfileFilterPrefixList -> RoutingProfileFilterPrefixListEntryIpv4; RoutingProfileFilterPrefixListEntryIpv6 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterPrefixListEntryIpv6" target="_top"]; RoutingProfileFilterPrefixList -> RoutingProfileFilterPrefixListEntryIpv6; RoutingProfileFilterRouteMaps [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterRouteMaps" target="_top"]; RoutingProfileFilterRouteMapsEntry [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterRouteMapsEntry" target="_top"]; RoutingProfileFilterRouteMaps -> RoutingProfileFilterRouteMapsEntry; RoutingProfileFilterRouteMapsRedistribution [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileFilterRouteMapsRedistribution" target="_top"]; RoutingProfileFilterRouteMapsRedistribution -> RoutingProfileFilterRouteMapsEntry; StaticRoute [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.StaticRoute" target="_top"]; PathMonitorDestination [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.PathMonitorDestination" target="_top"]; StaticRoute -> PathMonitorDestination; StaticRouteV6 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.StaticRouteV6" target="_top"]; StaticRouteV6 -> PathMonitorDestination; TunnelInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.TunnelInterface" target="_top"]; TunnelInterface -> IPv6Address; VirtualRouter [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VirtualRouter" target="_top"]; VirtualRouter -> Bgp; VirtualRouter -> Ospf; RedistributionProfile [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RedistributionProfile" target="_top"]; VirtualRouter -> RedistributionProfile; RedistributionProfileIPv6 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RedistributionProfileIPv6" target="_top"]; VirtualRouter -> RedistributionProfileIPv6; VirtualRouter -> Rip; VirtualRouter -> StaticRoute; VirtualRouter -> StaticRouteV6; Vlan [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.Vlan" target="_top"]; StaticMac [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.StaticMac" target="_top"]; Vlan -> StaticMac; VlanInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VlanInterface" target="_top"]; VlanInterface -> Arp; VlanInterface -> IPv6Address; RoutingProfileBfd [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileBfd" target="_top"]; Vrf -> RoutingProfileBfd; RoutingProfileBgpAddressFamily [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileBgpAddressFamily" target="_top"]; Vrf -> RoutingProfileBgpAddressFamily; RoutingProfileBgpAuth [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileBgpAuth" target="_top"]; Vrf -> RoutingProfileBgpAuth; RoutingProfileBgpDampening [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileBgpDampening" target="_top"]; Vrf -> RoutingProfileBgpDampening; RoutingProfileBgpFiltering [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileBgpFiltering" target="_top"]; Vrf -> RoutingProfileBgpFiltering; RoutingProfileBgpRedistribution [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileBgpRedistribution" target="_top"]; Vrf -> RoutingProfileBgpRedistribution; RoutingProfileBgpTimer [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileBgpTimer" target="_top"]; Vrf -> RoutingProfileBgpTimer; Vrf -> RoutingProfileFilterAccessList; Vrf -> RoutingProfileFilterAsPathAccessList; Vrf -> RoutingProfileFilterCommunityList; Vrf -> RoutingProfileFilterPrefixList; Vrf -> RoutingProfileFilterRouteMaps; Vrf -> RoutingProfileFilterRouteMapsRedistribution; RoutingProfileOspfAuth [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileOspfAuth" target="_top"]; Vrf -> RoutingProfileOspfAuth; RoutingProfileOspfIfTimer [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileOspfIfTimer" target="_top"]; Vrf -> RoutingProfileOspfIfTimer; RoutingProfileOspfRedistribution [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileOspfRedistribution" target="_top"]; Vrf -> RoutingProfileOspfRedistribution; RoutingProfileOspfSpfTimer [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileOspfSpfTimer" target="_top"]; Vrf -> RoutingProfileOspfSpfTimer; RoutingProfileOspfv3Auth [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileOspfv3Auth" target="_top"]; Vrf -> RoutingProfileOspfv3Auth; RoutingProfileOspfv3IfTimer [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileOspfv3IfTimer" target="_top"]; Vrf -> RoutingProfileOspfv3IfTimer; RoutingProfileOspfv3Redistribution [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileOspfv3Redistribution" target="_top"]; Vrf -> RoutingProfileOspfv3Redistribution; RoutingProfileOspfv3SpfTimer [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.RoutingProfileOspfv3SpfTimer" target="_top"]; Vrf -> RoutingProfileOspfv3SpfTimer; VrfBgpPeerGroup [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfBgpPeerGroup" target="_top"]; Vrf -> VrfBgpPeerGroup; VrfEcmpInterfaceWeight [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfEcmpInterfaceWeight" target="_top"]; Vrf -> VrfEcmpInterfaceWeight; VrfOspfArea [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfOspfArea" target="_top"]; Vrf -> VrfOspfArea; VrfOspfv3Area [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfOspfv3Area" target="_top"]; Vrf -> VrfOspfv3Area; VrfStaticRoute [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfStaticRoute" target="_top"]; Vrf -> VrfStaticRoute; VrfStaticRouteV6 [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfStaticRouteV6" target="_top"]; Vrf -> VrfStaticRouteV6; VrfBgpPeer [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfBgpPeer" target="_top"]; VrfBgpPeerGroup -> VrfBgpPeer; VrfOspfAreaInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfOspfAreaInterface" target="_top"]; VrfOspfArea -> VrfOspfAreaInterface; VrfOspfAreaRange [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfOspfAreaRange" target="_top"]; VrfOspfArea -> VrfOspfAreaRange; VrfOspfAreaVirtualLink [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfOspfAreaVirtualLink" target="_top"]; VrfOspfArea -> VrfOspfAreaVirtualLink; VrfOspfv3AreaInterface [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfOspfv3AreaInterface" target="_top"]; VrfOspfv3Area -> VrfOspfv3AreaInterface; VrfOspfv3AreaRange [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfOspfv3AreaRange" target="_top"]; VrfOspfv3Area -> VrfOspfv3AreaRange; VrfOspfv3AreaVirtualLink [style=filled fillcolor=lightcyan URL="../module-network.html#panos.network.VrfOspfv3AreaVirtualLink" target="_top"]; VrfOspfv3Area -> VrfOspfv3AreaVirtualLink; VrfStaticRoute -> PathMonitorDestination; VrfStaticRouteV6 -> PathMonitorDestination; }

Class Reference

Network module contains objects that exist in the ‘Network’ tab in the firewall GUI

class panos.network.AbstractSubinterface(name, tag, parent=None)[source]

When a subinterface is needed, but the layer is unknown

Kindof like a placeholder or reference for a Layer2Subinterface or Layer3Subinterface. This class gets a parent which is the ethernet or aggregate interface, but it should not be added to the parent interface with add().

Parameters:
  • name (str) – Name of the interface (eg. ethernet1/1.5)

  • tag (int) – Tag for the interface, aka vlan id

  • parent (Interface) – The base interface for this subinterface

delete()[source]

Deletes both Layer3 and Layer2 subinterfaces by name

This is necessary because an AbstractSubinterface’s mode is unknown.

get_layered_subinterface(mode, add=True)[source]

Instantiate a regular subinterface type from this AbstractSubinterface

Converts an abstract subinterface to a real subinterface by offering it a mode.

Parameters:
  • mode (str) – Mode of the subinterface (‘layer3’ or ‘layer2’)

  • add (bool) – Add the newly instantiated subinterface to the base interface object

Returns:

A panos.network.Layer3Subinterface or panos.network.Layer2Subinterface instance, depending on the mode argument

Return type:

Subinterface

nearest_pandevice()[source]

The PanDevice parent for this instance

Returns:

Parent PanDevice instance (Firewall or Panorama)

Return type:

PanDevice

set_name()[source]

Create a name appropriate for a subinterface if it isn’t already created

Example

If self.name is ‘ethernet1/1’ and self.tag is 5, this method will change the name to ‘ethernet1/1.5’.

set_virtual_router(virtual_router_name, refresh=False, update=False, running_config=False)[source]

Set the virtual router for this interface

Creates a reference to this interface in the specified virtual router and removes references to this interface from all other virtual routers. The virtual router will be created if it doesn’t exist.

Parameters:
  • virtual_router_name (str) – The name of the VirtualRouter or a panos.network.VirtualRouter instance

  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)

  • update (bool) – Apply the changes to the device (Default: False)

  • running_config – If refresh is True, refresh from the running configuration (Default: False)

Returns:

The zone for this interface after the operation completes

Return type:

Zone

class panos.network.AggregateInterface(*args, **kwargs)[source]

Aggregate interface (eg. ‘ae1’)

Parameters:
  • name (str) – Name of interface (eg. ‘ae1’)

  • mode (str) –

    Mode of the interface:
    • layer3

    • layer2

    • virtual-wire

    • ha

    Not all modes apply to all interface types (Default: layer3)

  • ip (tuple) – Layer3: Interface IPv4 addresses

  • ipv6_enabled (bool) – Layer3: IPv6 Enabled (requires IPv6Address child object)

  • management_profile (ManagementProfile) – Layer3: Interface Management Profile

  • mtu (int) – Layer3: MTU for interface

  • adjust_tcp_mss (bool) – Layer3: Adjust TCP MSS

  • netflow_profile (str) – Netflow profile

  • lldp_enabled (bool) – Enable LLDP

  • lldp_profile (str) – Reference to an lldp profile

  • comment (str) – The interface’s comment

  • ipv4_mss_adjust (int) – Layer3: TCP MSS adjustment for ipv4

  • ipv6_mss_adjust (int) – Layer3: TCP MSS adjustment for ipv6

  • enable_dhcp (bool) – Enable DHCP on this interface

  • create_dhcp_default_route (bool) – Layer3: Create default route pointing to default gateway provided by server

  • dhcp_default_route_metric (int) – Layer3: Metric for the DHCP default route

  • lacp_enable (bool) – Enables LACP

  • lacp_passive_pre_negotiation (bool) – Enable LACP passive pre-negotiation, off by default

  • lacp_mode (str) – Set LACP mode to ‘active’ or ‘passive’

  • lacp_rate (str) – Set LACP transmission-rate to ‘fast’ or ‘slow’

  • lacp_fast_failover (bool) – Enable fast failover for LACP

class panos.network.Arp(*args, **kwargs)[source]

Static ARP Mapping

Can be added to various interfaces.

Parameters:
  • ip (str) – The IP address

  • hw_address (str) – The MAC address for the static ARP

  • interface (str) – The interface (when attached to VlanInterface only)

class panos.network.Bgp(*args, **kwargs)[source]

BGP Process

Parameters:
  • enable (bool) – Enable BGP (Default: True)

  • router_id (str) – Router ID in IP format (eg. 1.1.1.1)

  • reject_default_route (bool) – Reject default route

  • allow_redist_default_route (bool) – Allow redistribution in default route

  • install_route (bool) – Populate BGP learned route to global route table

  • ecmp_multi_as (bool) – Support multiple AS in ECMP

  • enforce_first_as (bool) – Enforce First AS for EBGP

  • local_as (int) – local AS number

  • global_bfd_profile (str) – BFD Profile

class panos.network.BgpAuthProfile(*args, **kwargs)[source]

BGP Authentication Profile

Parameters:
  • name (str) – Name of Auth Profile

  • secret (str) – shared secret for the TCP MD5 authentication.

class panos.network.BgpDampeningProfile(*args, **kwargs)[source]

BGP Dampening Profile

Parameters:
  • name (str) – Name of Dampening Profile

  • enable (bool) – Enable profile (Default: True)

  • cutoff (float) – Cutoff threshold value

  • reuse (float) – Reuse threshold value

  • max_hold_time (int) – Maximum of hold-down time (in seconds)

  • decay_half_life_reachable (int) – Decay half-life while reachable (in seconds)

  • decay_half_life_unreachable (int) – Decay half-life while unreachable (in seconds)

class panos.network.BgpOutboundRouteFilter(*args, **kwargs)[source]

BGP Outbound Route Filtering

NOTE: This functionality is not enabled yet in PanOS

Parameters:
  • enable (bool) – enable prefix-based outbound route filtering.

  • max_received_entries (int) – maximum of ORF prefixes to receive.

  • cisco_prefix_mode (bool) – ORF vendor-compatible mode

class panos.network.BgpPeer(*args, **kwargs)[source]

BGP Peer

Parameters:
  • name (str) – Name of BGP Peer

  • enable (bool) – Enable Peer (Default: True)

  • peer_as (str) – peer AS number

  • enable_mp_bgp (bool) – enable MP-BGP extentions

  • address_family_identifier (str) – peer address family type * ipv4 * ipv6

  • subsequent_address_unicast (bool) – select SAFI for this peer

  • subsequent_address_multicast (bool) – select SAFI for this peer

  • local_interface (str) – interface to accept BGP session

  • local_interface_ip (str) – specify exact IP address if interface has multiple addresses

  • peer_address_ip (str) – IP address of peer

  • connection_authentication (str) – BGP auth profile name

  • connection_keep_alive_interval (int) – keep-alive interval (in seconds)

  • connection_min_route_adv_interval (int) – Minimum Route Advertisement Interval (in seconds)

  • connection_multihop (int) – IP TTL value used for sending BGP packet. set to 0 means eBGP use 2, iBGP use 255

  • connection_open_delay_time (int) – open delay time (in seconds)

  • connection_hold_time (int) – hold time (in seconds)

  • connection_idle_hold_time (int) – idle hold time (in seconds)

  • connection_incoming_allow (bool) – allow incoming connections

  • connection_outgoing_allow (bool) – allow outgoing connections

  • connection_incoming_remote_port (int) – restrict remote port for incoming BGP connections

  • connection_outgoing_local_port (int) – use specific local port for outgoing BGP connections

  • enable_sender_side_loop_detection (bool) –

  • reflector_client (str) –

    • non-client

    • client

    • meshed-client

  • peering_type (str) –

    • unspecified

    • bilateral

  • max_prefixes (int) – maximum of prefixes to receive from peer

  • bfd_profile (str) – BFD configuration * Inherit-vr-global-setting * None * Pre-existing BFD profile name * None

class panos.network.BgpPeerGroup(*args, **kwargs)[source]

BGP Peer Group

Parameters:
  • name (str) – Name of BGP Peer Group

  • enable (bool) – Enable Peer Group (Default: True)

  • aggregated_confed_as_path (bool) – the peers understand aggregated confederation AS path

  • soft_reset_with_stored_info (bool) – soft reset with stored info

  • type (str) – peer group type I(‘ebgp’)/I(‘ibgp’)/I(‘ebgp-confed’)/I(‘ibgp-confed’)

  • export_nexthop (str) – export locally resolved nexthop I(‘resolve’)/I(‘use-self’)

  • import_nexthop (str) – override nexthop with peer address I(‘original’)/I(‘use-peer’), only with ‘ebgp’

  • remove_private_as (bool) – remove private AS when exporting route, only with ‘ebgp’

class panos.network.BgpPolicyAddressPrefix(*args, **kwargs)[source]

BGP Policy Address Prefix with Exact

Parameters:
  • name (str) – address prefix

  • exact (str) – match exact prefix length

class panos.network.BgpPolicyAdvertiseFilter(*args, **kwargs)[source]

BGP Policy Advertise Filter

Parameters:
  • name (str) – Name of filter

  • enable (bool) – Enable rule.

  • match_afi (str) – Address Family Identifier * ip * ipv6

  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6

  • match_route_table (str) – Route table to match rule * unicast * multicast * both

  • match_nexthop (list) – Next-hop attributes

  • match_from_peer (list) – Filter by peer that sent this route

  • match_med (int) – Multi-Exit Discriminator

  • match_as_path_regex (str) – AS-path regular expression

  • match_community_regex (str) – Community AS-path regular expression

  • match_extended_community_regex (str) – Extended Community AS-path regular expression

class panos.network.BgpPolicyAggregationAddress(*args, **kwargs)[source]

BGP Policy Aggregation Address

Parameters:
  • name (str) – Sddress prefix

  • enable (bool) – Enable aggregation for this prefix

  • prefix (str) – Aggregating address prefix

  • summary (bool) – Summarize route

  • as_set (bool) – Generate AS-set attribute

  • attr_local_preference (int) – New local preference value

  • attr_med (int) – New MED value

  • attr_weight (int) – New weight value

  • attr_nexthop (str) – Nexthop address

  • attr_origin (str) – New route origin * igp * egp * incomplete

  • attr_as_path_limit (int) – Add AS path limit attribute if it does not exist

  • attr_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend

  • attr_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when attr_as_path_type is ‘prepend’ or ‘remove-and-prepend’

  • attr_community_type (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite

  • attr_community_argument (str) – Argument to the attr community value if needed * None * local-as * no-advertise * no-export * nopeer * regex * 32-bit value * AS:VAL

  • attr_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite

  • attr_extended_community_argument (str) – Argument to the attr extended community value if needed

class panos.network.BgpPolicyConditionalAdvertisement(*args, **kwargs)[source]

BGP Conditional Advertisement Policy

Parameters:
  • name (str) – Name of Conditional Advertisement Policy

  • enable (bool) – enable prefix-based outbound route filtering.

  • used_by (list) – peer-groups that use this rule.

class panos.network.BgpPolicyExportRule(*args, **kwargs)[source]

BGP Policy Export Rule

Parameters:
  • name (str) – The name

  • enable (bool) – Enable rule.

  • match_afi (str) – Address Family Identifier * ip * ipv6

  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6

  • match_route_table (str) – Route table to match rule * unicast * multicast * both

  • match_nexthop (list) – Next-hop attributes

  • match_from_peer (list) – Filter by peer that sent this route

  • match_med (int) – Multi-Exit Discriminator

  • match_as_path_regex (str) – AS-path regular expression

  • match_community_regex (str) – AS-path regular expression

  • match_extended_community_regex (str) – AS-path regular expression

  • used_by (list) – Peer-groups that use this rule.

  • action (str) – The action

  • action_local_preference (int) – New local preference value

  • action_med (int) – New MED value

  • action_nexthop (str) – Nexthop address

  • action_origin (str) – New route origin * igp * egp * incomplete

  • action_as_path_limit (int) – Add AS path limit attribute if it does not exist

  • action_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend

  • action_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when action_as_path_type is ‘prepend’ or ‘remove-and-prepend’

  • action_community_type (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite

  • action_community_argument (str) – Argument to the action community value if needed * None * regex

  • action_community_modifier (str) – Argument to the action community value when type is ‘append’ or ‘overwrite’ * local-as * no-advertise * no-export * nopeer * 32-bit value * AS:VAL

  • action_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite

  • action_extended_community_argument (str) – Argument to the action extended community value if needed

class panos.network.BgpPolicyFilter(*args, **kwargs)[source]

Base class for BGP Policy Match Filters

Do not instantiate this class, use one of:
  • BgpPolicyImportRule

  • BgpPolicyExportRule

Parameters:
  • name (str) – Name of filter

  • enable (bool) – Enable rule.

  • match_afi (str) – Address Family Identifier * ip * ipv6

  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6

  • match_route_table (str) – Route table to match rule * unicast * multicast * both

  • match_nexthop (list) – Next-hop attributes

  • match_from_peer (list) – Filter by peer that sent this route

  • match_med (int) – Multi-Exit Discriminator

  • match_as_path_regex (str) – AS-path regular expression

  • match_community_regex (str) – Community AS-path regular expression

  • match_extended_community_regex (str) – Extended Community AS-path regular expression

class panos.network.BgpPolicyImportRule(*args, **kwargs)[source]

BGP Policy Import Rule

Parameters:
  • name (str) – The name

  • enable (bool) – Enable rule.

  • match_afi (str) – Address Family Identifier * ip * ipv6

  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6

  • match_route_table (str) – Route table to match rule * unicast * multicast * both

  • match_nexthop (list) – Next-hop attributes

  • match_from_peer (list) – Filter by peer that sent this route

  • match_med (int) – Multi-Exit Discriminator

  • match_as_path_regex (str) – AS-path regular expression

  • match_community_regex (str) – AS-path regular expression

  • match_extended_community_regex (str) – AS-path regular expression

  • used_by (list) – Peer-groups that use this rule.

  • action (str) – The action

  • action_local_preference (int) – New local preference value

  • action_med (int) – New MED value

  • action_nexthop (str) – Nexthop address

  • action_origin (str) – New route origin * igp * egp * incomplete

  • action_as_path_limit (int) – Add AS path limit attribute if it does not exist

  • action_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend

  • action_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when action_as_path_type is ‘prepend’ or ‘remove-and-prepend’

  • action_community_type (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite

  • action_community_argument (str) – Argument to the action community value if needed * None * regex

  • action_community_modifier (str) – Argument to the action community value when type is ‘append’ or ‘overwrite’ * local-as * no-advertise * no-export * nopeer * 32-bit value * AS:VAL

  • action_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite

  • action_extended_community_argument (str) – Argument to the action extended community value if needed

  • action_dampening (str) – Route flap dampening profile

  • action_weight (int) – New weight value

class panos.network.BgpPolicyNonExistFilter(*args, **kwargs)[source]

BGP Policy Non-Exist Filter

Parameters:
  • name (str) – Name of filter

  • enable (bool) – Enable rule.

  • match_afi (str) – Address Family Identifier * ip * ipv6

  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6

  • match_route_table (str) – Route table to match rule * unicast * multicast * both

  • match_nexthop (list) – Next-hop attributes

  • match_from_peer (list) – Filter by peer that sent this route

  • match_med (int) – Multi-Exit Discriminator

  • match_as_path_regex (str) – AS-path regular expression

  • match_community_regex (str) – Community AS-path regular expression

  • match_extended_community_regex (str) – Extended Community AS-path regular expression

class panos.network.BgpPolicyRule(*args, **kwargs)[source]

Base class for BGP Policy Import/Export Rules

Do not instantiate this class, use one of:
  • BgpPolicyImportRule

  • BgpPolicyExportRule

Parameters:
  • name (str) – The name

  • enable (bool) – Enable rule.

  • match_afi (str) – Address Family Identifier * ip * ipv6

  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6

  • match_route_table (str) – Route table to match rule * unicast * multicast * both

  • match_nexthop (list) – Next-hop attributes

  • match_from_peer (list) – Filter by peer that sent this route

  • match_med (int) – Multi-Exit Discriminator

  • match_as_path_regex (str) – AS-path regular expression

  • match_community_regex (str) – AS-path regular expression

  • match_extended_community_regex (str) – AS-path regular expression

  • used_by (list) – Peer-groups that use this rule.

  • action (str) – The action

  • action_local_preference (int) – New local preference value

  • action_med (int) – New MED value

  • action_nexthop (str) – Nexthop address

  • action_origin (str) – New route origin * igp * egp * incomplete

  • action_as_path_limit (int) – Add AS path limit attribute if it does not exist

  • action_as_path_type (str) – AS path update options * none (string, not to be confused with the Python type None) * remove * prepend * remove-and-prepend

  • action_as_path_prepend_times (int) – Prepend local AS for specified number of times * only valid when action_as_path_type is ‘prepend’ or ‘remove-and-prepend’

  • action_community (str) – Community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite

  • action_community_argument (str) – Argument to the action community value if needed * None * regex

  • action_community_modifier (str) – Argument to the action community value when type is ‘append’ or ‘overwrite’ * local-as * no-advertise * no-export * nopeer * 32-bit value * AS:VAL

  • action_extended_community_type (str) – Extended community update options * none (string, not to be confused with the Python type None) * remove-all * remove-regex * append * overwrite

  • action_extended_community_argument (str) – Argument to the action extended community value if needed

class panos.network.BgpPolicySuppressFilter(*args, **kwargs)[source]

BGP Policy Suppress Filter

Parameters:
  • name (str) – Name of filter

  • enable (bool) – Enable rule.

  • match_afi (str) – Address Family Identifier * ip * ipv6

  • match_safi (str) – Subsequent Address Family Identifier * ip * ipv6

  • match_route_table (str) – Route table to match rule * unicast * multicast * both

  • match_nexthop (list) – Next-hop attributes

  • match_from_peer (list) – Filter by peer that sent this route

  • match_med (int) – Multi-Exit Discriminator

  • match_as_path_regex (str) – AS-path regular expression

  • match_community_regex (str) – Community AS-path regular expression

  • match_extended_community_regex (str) – Extended Community AS-path regular expression

class panos.network.BgpRedistributionRule(*args, **kwargs)[source]

BGP Policy Address Prefix with Exact

Parameters:
  • name (str) – Redistribution profile name

  • enable (bool) – Enable redistribution rule.

  • address_family_identifier (str) – Select redistribution profile type * ipv4 * ipv6

  • route_table (str) – Select destination SAFI for redistribution * unicast * multicast * both

  • set_origin (str) – Add the ORIGIN path attribute * igp * egp * incomplete

  • set_med (int) – Add the MULTI_EXIT_DISC path attribute

  • set_local_preference (int) – Add the LOCAL_PREF path attribute

  • set_as_path_limit (int) – Add the AS_PATHLIMIT path attribute

  • set_community (list) – Add the COMMUNITY path attribute

  • set_extended_community (list) – Add the EXTENDED COMMUNITY path attribute

  • metric (int) – Metric value

class panos.network.BgpRoutingOptions(*args, **kwargs)[source]

BGP Routing Options

Parameters:
  • as_format (str) – AS format (‘2-byte’/’4-byte’)

  • always_compare_med (bool) – always compare MEDs

  • deterministic_med_comparison (bool) – deterministic MEDs comparison

  • default_local_preference (int) – default local preference

  • graceful_restart_enable (bool) – enable graceful restart

  • gr_stale_route_time (int) – time to remove stale routes after peer restart (in seconds)

  • gr_local_restart_time (int) – local restart time to advertise to peer (in seconds)

  • gr_max_peer_restart_time (int) – maximum of peer restart time accepted (in seconds)

  • reflector_cluster_id (str) – route reflector cluster ID

  • confederation_member_as (str) – 32-bit value in decimal or dot decimal AS.AS format

  • aggregate_med (bool) – aggregate route only if they have same MED attributes

class panos.network.Dhcp(*args, **kwargs)[source]

DHCP config.

Parameters:

name (str) – Interface name.

class panos.network.DhcpRelay(*args, **kwargs)[source]

DHCP relay config.

Parameters:
  • name (str) – The (interface) name

  • enabled (bool) – Enabled.

  • servers (list) – Relay server IP addresses.

  • ipv6_enabled (bool) – Enable DHCPv6 relay.

class panos.network.DhcpRelayIpv6Address(*args, **kwargs)[source]

DHCP relay IPv6 address.

Parameters:
  • name (str) – DHCP server IPv6 address.

  • interface (str) – Outgoing interface when using an IPv6 multicast address for the DHCPv6 server.

class panos.network.EthernetInterface(*args, **kwargs)[source]

Ethernet interface (eg. ‘ethernet1/1’)

Parameters:
  • name (str) – Name of interface (eg. ‘ethernet1/1’)

  • mode (str) –

    Mode of the interface:
    • layer3

    • layer2

    • virtual-wire

    • tap

    • ha

    • decrypt-mirror

    • aggregate-group

    Not all modes apply to all interface types (Default: layer3)

  • ip (tuple) – Layer3: Interface IPv4 addresses

  • ipv6_enabled (bool) – Layer3: IPv6 Enabled (requires IPv6Address child object)

  • management_profile (ManagementProfile) – Layer3: Interface Management Profile

  • mtu (int) – Layer3: MTU for interface

  • adjust_tcp_mss (bool) – Layer3: Adjust TCP MSS

  • netflow_profile (str) – Netflow profile

  • lldp_enabled (bool) – Layer2: Enable LLDP

  • lldp_profile (str) – Layer2: Reference to an lldp profile

  • netflow_profile_l2 (str) – Netflow profile

  • link_speed (str) – Link speed: eg. auto, 10, 100, 1000

  • link_duplex (str) – Link duplex: eg. auto, full, half

  • link_state (str) – Link state: eg. auto, up, down

  • aggregate_group (str) – Aggregate interface (eg. ae1)

  • comment (str) – The interface’s comment

  • ipv4_mss_adjust (int) – (PAN-OS 7.1+) TCP MSS adjustment for ipv4

  • ipv6_mss_adjust (int) – (PAN-OS 7.1+) TCP MSS adjustment for ipv6

  • enable_dhcp (bool) – Enable DHCP on this interface

  • create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server

  • dhcp_default_route_metric (int) – Metric for the DHCP default route

  • enable_untagged_subinterface (bool) – (PAN-OS 7.1+) Enable untagged subinterface

  • decrypt_forward (bool) – (PAN-OS 8.1+) Decrypt forward.

  • rx_policing_rate (int) – (PAN-OS 8.1+) Receive policing rate

  • tx_policing_rate (int) – (PAN-OS 8.1+) Transmit policing rate

  • dhcp_send_hostname_enable (bool) – Enable send firewall or custom hostname to DHCP server

  • dhcp_send_hostname_value (string) – Set interface hostname

class panos.network.GreTunnel(*args, **kwargs)[source]

GRE Tunnel configuration.

Note: This is valid for PAN-OS 9.0+

Parameters:
  • name – GRE tunnel name.

  • interface – Interface to terminate tunnel.

  • local_address_type – Type of local address. Can be “ip” (default) or “floating-ip”.

  • local_address_value – IP address value.

  • peer_address – Peer IP address.

  • tunnel_interface – To apply GRE tunnels to tunnel interface.

  • ttl (int) – TTL.

  • copy_tos (bool) – Copy IP TOS bits from inner packet to GRE packet.

  • enable_keep_alive (bool) – Enable tunnel monitoring.

  • keep_alive_interval (int) – Interval.

  • keep_alive_retry (int) – Retry.

  • keep_alive_hold_timer (int) – Hold timer.

  • disabled (bool) – Disable the GRE tunnel.

class panos.network.IPv6Address(*args, **kwargs)[source]

IPv6 Address

Can be added to any panos.network.Interface subclass that supports IPv6.

Parameters:
  • address (str) – The IPv6 address

  • enable_on_interface (bool) – Enabled IPv6 on the interface this object was added to

  • prefix (bool) – Use interface ID as host portion

  • anycast (bool) – Enable anycast

  • advertise_enabled (bool) – Enabled router advertisements

  • valid_lifetime (int) – Valid lifetime

  • preferred_lifetime (int) – Preferred lifetime

  • onlink_flag (bool) –

  • auto_config_flag (bool) –

class panos.network.IkeCryptoProfile(*args, **kwargs)[source]

IKE SA proposal.

Parameters:
  • name – IKE crypto profile name

  • dh_group (string/list) – phase-1 DH group: group1, group2, group5, group14, group19 (7.0+), or group20 (7.0+).

  • authentication (string/list) – hashing algorithm: md5, sha1, sha256, sha384, or sha512.

  • encryption (string/list) – encryption algorithm: des (7.1+), 3des, aes128 / aes-128-cbc, aes192 / aes-192-cbc, or aes256 / aes-256-cbc. If you need to be able to work with older than 7.0 firewalls, then use set_encryption().

  • lifetime_seconds (int) – IKE SA lifetime in seconds

  • lifetime_minutes (int) – IKE SA lifetime in minutes

  • lifetime_hours (int) – IKE SA lifetime in hours

  • lifetime_days (int) – IKE SA lifetime in days

  • authentication_multiple (int) – (7.0+) IKEv2 SA reauthentication interval equals authentication_multiple * lifetime; 0 means reauthentication is disabled.

set_encryption(value)[source]

Version agnostic set for encryption.

This object should be connected to a panos.Firewall before invocation.

Valid values include the following:
  • des (7.1+)

  • 3des

  • aes128

  • aes-128-cbc

  • aes192

  • aes-192-cbc

  • aes256

  • aes-256-cbc

Raises:
  • PanDeviceNotSet – if there is no Firewall in the object tree

  • ValueError – if value is not one of the above, or you attempt to configure 3des with this object connected to a PANOS 7.0 or earlier firewall.

class panos.network.IkeGateway(*args, **kwargs)[source]

IKE Gateway.

Parameters:
  • name – IKE gateway name

  • version – (7.0+) ikev1, ikev2, or ikev2-prefered (default: ikev1)

  • enable_ipv6 (bool) – (7.0+) enable IPv6

  • disabled (bool) – (7.0+) disable this object

  • peer_ip_type – ip, dynamic, or fqdn (8.1+) (default: ip)

  • peer_ip_value – the IP for peer_ip_type of ‘ip’ or ‘fqdn’

  • interface – local gateway end-point

  • local_ip_address_type – ip or floating-ip

  • local_ip_address – IP address if interface has multiple addresses

  • auth_type – pre-shared-key or certificate (default: pre-shared-key)

  • pre_shared_key – The string used as pre-shared key

  • local_id_type – ipaddr, fqdn, ufqdn, keyid, or dn

  • local_id_value – The value for local_id_type

  • peer_id_type – ipaddr, fqdn, ufqdn, keyid, or dn

  • peer_id_value – The value for peer_id_type

  • peer_id_check – exact or wildcard (default: exact)

  • local_cert – Local certificate name

  • cert_enable_hash_and_url (bool) – (7.0+) Use hash-and-url for local certificate.

  • cert_base_url – (7.0+) The host and directory part of URL for local certificates (http only).

  • cert_use_management_as_source (bool) – (7.0+) Use management interface IP as source to retrieve http certificates

  • cert_permit_payload_mismatch (bool) – Permit peer identification and certificate payload identification mismatch.

  • cert_profile – Local certificate name

  • cert_enable_strict_validation (bool) – Enable strict validation of peer’s extended key use

  • enable_passive_mode (bool) – Enable passive mode (responder only)

  • enable_nat_traversal (bool) – Enable NAT traversal

  • nat_traversal_keep_alive (int) – sending interval for NAT keep-alive packets (in seconds)

  • nat_traversal_enable_udp_checksum (bool) – enable UDP checksum

  • enable_fragmentation (bool) – Enable IKE fragmentation

  • ikev1_exchange_mode – auto, main, or aggressive

  • ikev1_crypto_profile – IKE SA crypto oprofile name

  • enable_dead_peer_detection (bool) – enable Dead-Peer-Detection

  • dead_peer_detection_interval (int) – sending interval for probing packets (in seconds)

  • dead_peer_detection_retry (int) – number of retries before disconnection

  • ikev1_send_commit_bit (bool) – Send commit bit

  • ikev1_initial_contact (bool) – send initial contact

  • ikev2_crypto_profile – (7.0+) IKE SE crypto profile name

  • ikev2_cookie_validation (bool) – (7.0+) require cookie

  • ikev2_send_peer_id (bool) – (7.0+) send peer ID

  • enable_liveness_check (bool) – (7.0+) enable sending empty information liveness check message

  • liveness_check_interval (int) – (7.0+) delay interval before sending probing packets (in seconds)

class panos.network.Interface(*args, **kwargs)[source]

Base class for all interfaces

Do not instantiate this object. Use a subclass. Methods in this class are available to all interface subclasses.

Parameters:
  • name (str) – Name of the interface

  • state (str) – Link state, ‘up’ or ‘down’

full_delete(refresh=False, delete_referencing_objects=False, include_vsys=False)[source]

Delete the interface and all references to the interface

Often when deleting an interface there is an API error because there are still references to the interface from zones, virtual-router, vsys, etc. This method deletes all references to the interface before deleting the interface itself.

Parameters:
  • refresh (bool) – Refresh the current state of the device before taking action

  • delete_referencing_objects (bool) – Delete the entire object that references this interface

get_counters()[source]

Pull the counters for an interface

Returns:

counter name as key, counter as value, None if interface is

not configured

Return type:

dict

refresh_state()[source]

Pull the state of the interface from the firewall

The attribute ‘state’ is populated with the current state from the firewall.

Returns:

The current state from the firewall

Return type:

str

set_virtual_router(virtual_router_name, refresh=False, update=False, running_config=False, return_type='object')[source]

Set the virtual router for this interface

Creates a reference to this interface in the specified virtual router and removes references to this interface from all other virtual routers. The virtual router will be created if it doesn’t exist.

Parameters:
  • virtual_router_name (str) – The name of the VirtualRouter or a panos.network.VirtualRouter instance

  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)

  • update (bool) – Apply the changes to the device (Default: False)

  • running_config – If refresh is True, refresh from the running configuration (Default: False)

  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the VirtualRouter in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Returns:

The zone for this interface after the operation completes

Return type:

Zone

set_vlan(vlan_name, refresh=False, update=False, running_config=False, return_type='object')[source]

Set the vlan for this interface

Creates a reference to this interface in the specified vlan and removes references to this interface from all other interfaces. The vlan will be created if it doesn’t exist.

Parameters:
  • vlan_name (str) – The name of the vlan or a panos.network.Vlan instance

  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)

  • update (bool) – Apply the changes to the device (Default: False)

  • running_config – If refresh is True, refresh from the running configuration (Default: False)

  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Vlan in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Raises:

AttributeError – if this class is not allowed to use this function.

Returns:

The VLAN for this interface after the operation completes

Return type:

Vlan

set_zone(zone_name, mode=None, refresh=False, update=False, running_config=False, return_type='object')[source]

Set the zone for this interface

Creates a reference to this interface in the specified zone and removes references to this interface from all other zones. The zone will be created if it doesn’t exist.

Parameters:
  • zone_name (str) – The name of the Zone or a panos.network.Zone instance

  • mode (str) – The mode of the zone. See panos.network.Zone for possible values

  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)

  • update (bool) – Apply the changes to the device (Default: False)

  • running_config – If refresh is True, refresh from the running configuration (Default: False)

  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Zone in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Returns:

The zone for this interface after the operation completes

Return type:

Zone

up()[source]

Link state of interface

Returns:

True if state is ‘up’, False if state is ‘down’,

’unconfigured’ or other

Return type:

bool

class panos.network.IpsecCryptoProfile(*args, **kwargs)[source]

IPSec SA proposals.

Parameters:
  • name – IPSec crypto profile name

  • esp_encryption (string/list) – des, 3des, null, aes128 / aes-128-cbc, aes192 / aes-192-cbc, aes256 / aes-256-cbc, aes-128-gcm (7.0+), or aes-256-gcm (7.0+). If you need to write a script that works older than 7.0 firewalls, then please use set_esp_encryption().

  • esp_authentication (string/list) – none, md5, sha1, sha256, sha384, or sha512

  • ah_authentication (string/list) – md5, sha1, sha256, sha384, or sha512

  • dh_group – no-pfs, group1, group2, group5, group14, group19, or group20

  • lifetime_seconds (int) – IPSec SA lifetime in seconds

  • lifetime_minutes (int) – IPSec SA lifetime in minutes

  • lifetime_hours (int) – IPSec SA lifetime in hours

  • lifetime_days (int) – IPSec SA lifetime in days

  • lifesize_kb (int) – IPSec SA lifesize in kilobytes (KB)

  • lifesize_mb (int) – IPSec SA lifesize in megabytes (MB)

  • lifesize_gb (int) – IPSec SA lifesize in gigabytes (GB)

  • lifesize_tb (int) – IPSec SA lifesize in terabytes (TB)

set_esp_encryption(value)[source]

Version agnostic set for esp_encryption.

This object should be connected to a panos.Firewall before invocation.

Valid values include the following:
  • des

  • 3des

  • aes128

  • aes-128-cbc

  • aes192

  • aes-192-cbc

  • aes256

  • aes-256-cbc

  • aes-128-gcm (7.0+)

  • aes-256-gcm (7.0+)

  • null

Parameters:

value (string/list) – values to put in esp_encryption

Raises:
  • PanDeviceNotSet – if there is no Firewall in the object tree

  • ValueError – if value is not one of the above, or you attempt to configure aes-128-gcm or aes-256-gcm with this object connected to a PANOS 6.1 firewall.

class panos.network.IpsecTunnel(*args, **kwargs)[source]

IPSec Tunnel

A large number of params have prefixes:
  • ak: Auto Key

  • mk: Manual Key

  • gps: GlobalProtect Satellite

Only attach IpsecTunnelIpv4ProxyId or IpsecTunnelIpv4ProxyId objects to this one if you are using type=’auto-key’.

Parameters:
  • name – IPSec tunnel name

  • tunnel_interface – apply IPSec VPN tunnels to tunnel interface

  • ipv6 (bool) – (7.0+) use IPv6 for the IPSec tunnel

  • type – auto-key (default), manual-key, or global-protect-satellite

  • ak_ike_gateway (string/list) – IKE gateway name

  • ak_ipsec_crypto_profile – IPSec crypto profile name

  • mk_local_spi – outbound SPI in hex

  • mk_interface – interface to terminate tunnel

  • mk_remote_spi – inbound SPI in hex

  • mk_remote_address – tunnel peer IP address

  • mk_local_address_ip – exact IP address if interface has multiple IP addresses

  • mk_local_address_floating_ip – floating IP address in HA Active-Active configuration

  • mk_protocol – esp or ah

  • mk_auth_type – md5, sha1, sha256, sha384, or sha512

  • mk_auth_key – the key for the given mk_auth_type

  • mk_esp_encryption – des, 3des, aes128 / aes-128-cbc, aes192 / aes-192-cbc, aes256 / aes-256-cbc, or null. The various “aes” options changed in version 7.0 onward. If you need to make a script that is compatible with 6.1 PANOS, then use “set_mk_esp_encryption()”. Passing it either “aes128” or “aes-128-cbc” will have it set the appropriate string for the given version.

  • mk_esp_encryption_key – The ESP encryption key for mk_esp_encryption type

  • gps_portal_address – GlobalProtect portal address

  • gps_prefer_ipv6 (bool) – (8.0+) perfer to register portal in IPv6

  • gps_interface – interface to communicate with portal

  • gps_interface_ipv4_ip – exact IPv4 IP address if interface has multiple IP addresses

  • gps_interface_ipv6_ip – (8.0+) exact IPv6 IP address if interface has multiple IP addresses

  • gps_interface_ipv4_floating_ip – (7.0+) floating IPv4 IP address in HA Active-Active configuration

  • gps_interface_ipv6_floating_ip – (8.0+) floating IPv6 IP address in HA Active-Active configuration

  • gps_publish_connected_routes (bool) – enable publishing of connected and static routes

  • gps_publish_routes (str/list) – specify list of routes to publish to GlobalProtect gateway

  • gps_local_certificate – GlobalProtect satellite certificate file name

  • gps_certificate_profile – profile for authenticating GlobalProtect gateway certificates

  • anti_replay (bool) – enable anti-replay check on this tunnel

  • copy_tos (bool) – copy IP TOS bits from inner packet to IPSec packet (not recommended)

  • copy_flow_label (bool) – (7.0+) copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended)

  • enable_tunnel_monitor (bool) – enable tunnel monitoring on this tunnel

  • tunnel_monitor_dest_ip – destination IP to send ICMP probe

  • tunnel_monitor_proxy_id – (7.0+) which proxy-id (or proxy-id-v6) the monitoring traffic will use

  • tunnel_monitor_profile – monitoring action

  • disabled (bool) – (7.0+) disable the IPSec tunnel

set_mk_esp_encryption(value)[source]

Version agnostic set for mk_esp_encryption.

This object should be connected to a panos.Firewall before invocation.

Valid values include the following:
  • des

  • 3des

  • aes128

  • aes-128-cbc

  • aes192

  • aes-192-cbc

  • aes256

  • aes-256-cbc

  • null

Raises:
  • PanDeviceNotSet – if there is no Firewall in the object tree

  • ValueError – if value is not one of the above

class panos.network.IpsecTunnelIpv4ProxyId(*args, **kwargs)[source]

IKEv1 proxy-id for auto-key IPSec tunnels.

Parameters:
  • name – The proxy ID

  • local – IP subnet or IP address represents local network

  • remote – IP subnet or IP address represents remote network

  • any_protocol (bool) – Any protocol

  • number_protocol (int) – Numbered Protocol: protocol number (1-254)

  • tcp_local_port (int) – Protocol TCP: local port

  • tcp_remote_port (int) – Protocol TCP: remote port

  • udp_local_port (int) – Protocol UDP: local port

  • udp_remote_port (int) – Protocol UDP: remote port

class panos.network.IpsecTunnelIpv6ProxyId(*args, **kwargs)[source]

IKEv1 IPv6 proxy-id for auto-key IPSec tunnels.

NOTE: Only supported in 7.0 and forward.

Parameters:
  • name – The proxy ID

  • local – IP subnet or IP address represents local network

  • remote – IP subnet or IP address represents remote network

  • any_protocol (bool) – Any protocol

  • number_protocol (int) – Numbered Protocol: protocol number (1-254)

  • tcp_local_port (int) – Protocol TCP: local port

  • tcp_remote_port (int) – Protocol TCP: remote port

  • udp_local_port (int) – Protocol UDP: local port

  • udp_remote_port (int) – Protocol UDP: remote port

class panos.network.Layer2Subinterface(*args, **kwargs)[source]

Ethernet or Aggregate Subinterface in Layer 2 mode.

Parameters:
  • name (str) – The name

  • tag (int) – Tag for the interface, aka vlan id

  • lldp_enabled (bool) – Enable LLDP

  • lldp_profile (str) – Reference to an lldp profile

  • netflow_profile_l2 (str) – Netflow profile

  • comment (str) – The interface’s comment

class panos.network.Layer3Subinterface(*args, **kwargs)[source]

Ethernet or Aggregate Subinterface in Layer 3 mode.

Parameters:
  • name (str) – The name

  • tag (int) – Tag for the interface, aka vlan id

  • ip (tuple) – Interface IPv4 addresses

  • ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)

  • management_profile (ManagementProfile) – Interface Management Profile

  • mtu (int) – MTU for interface

  • adjust_tcp_mss (bool) – Adjust TCP MSS

  • netflow_profile (str) – Netflow profile

  • comment (str) – The interface’s comment

  • ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4

  • ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6

  • enable_dhcp (bool) – Enable DHCP on this interface

  • create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server

  • dhcp_default_route_metric (int) – Metric for the DHCP default route

  • decrypt_forward (bool) – (PAN-OS 8.1+) Decrypt forward.

class panos.network.LogicalRouter(*args, **kwargs)[source]

Logical router

Parameters:
  • name (str) – Name of logical router

  • vrf (str) – Name of VRF

class panos.network.LoopbackInterface(*args, **kwargs)[source]

Loopback interface

Parameters:
  • name (str) – The name

  • ip (tuple) – Interface IPv4 addresses

  • ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)

  • management_profile (ManagementProfile) – Interface Management Profile

  • mtu (int) – MTU for interface

  • adjust_tcp_mss (bool) – Adjust TCP MSS

  • netflow_profile (str) – Netflow profile

  • comment (str) – The interface’s comment

  • ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4

  • ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6

class panos.network.ManagementProfile(*args, **kwargs)[source]

Interface management provile.

Add to any of the following interfaces:

  • Layer3Subinterface

  • EthernetInterface

  • AggregateInterface

  • VlanInterface

  • LoopbackInterface

  • TunnelInterface

Parameters:
  • name (str) – The name

  • ping (bool) – Enable ping

  • telnet (bool) – Enable telnet

  • ssh (bool) – Enable ssh

  • http (bool) – Enable http

  • http_ocsp (bool) – Enable http-ocsp

  • https (bool) – Enable https

  • snmp (bool) – Enable snmp

  • response_pages (bool) – Enable response pages

  • userid_service (bool) – Enable userid service

  • userid_syslog_listener_ssl (bool) – Enable userid syslog listener ssl

  • userid_syslog_listener_udp (bool) – Enable userid syslog listener udp

  • permitted_ip (list) – The list of permitted IP addresses

class panos.network.Ospf(*args, **kwargs)[source]

OSPF Process

Parameters:
  • enable (bool) – Enable OSPF (Default: True)

  • router_id (str) – Router ID in IP format (eg. 1.1.1.1)

  • reject_default_route (bool) – Reject default route

  • allow_redist_default_route (bool) – Allow redistribution in default route

  • rfc1583 (bool) – rfc1583

  • spf_calculation_delay (int) – SPF calculation delay

  • lsa_interval (int) – LSA interval

  • graceful_restart_enable (bool) – Enable OSPF graceful restart

  • gr_grace_period (int) – Graceful restart period

  • gr_helper_enable (bool) – Graceful restart helper enable

  • gr_strict_lsa_checking (bool) – Graceful restart strict lsa checking

  • gr_max_neighbor_restart_time (int) – Graceful restart neighbor restart time

class panos.network.OspfArea(*args, **kwargs)[source]

OSPF Area

Parameters:
  • name (str) – Area in IP format

  • type (str) – Type of area, ‘normal’, ‘stub’, or ‘nssa’ (Default: normal)

  • accept_summary (bool) – Accept summary route - stub and nssa only

  • default_route_advertise (str) – ‘disable’ or ‘advertise’ (Default: disable) - stub and nssa only

  • default_route_advertise_metric (int) – Default route metric - stub and nssa only

  • default_route_advertise_type (str) – ‘ext-1’ or ‘ext2’ (Default: ext-2 - nssa only

class panos.network.OspfAreaInterface(*args, **kwargs)[source]

OSPF Area Interface

Parameters:
  • name (str) – Name of the interface (interface must exist)

  • enable (bool) – OSPF enabled on this interface

  • passive (bool) – Passive mode

  • link_type (str) – Link type, ‘broadcast’, ‘p2p’, or ‘p2mp’ (Default: broadcast)

  • metric (int) – Metric

  • priority (int) – Priority id

  • hello_interval (int) – Hello interval

  • dead_counts (int) – Dead counts

  • retransmit_interval (int) – Retransmit interval

  • transit_delay (int) – Transit delay

  • gr_delay (int) – Graceful restart delay

  • authentication (str) – Reference to a panos.network.OspfAuthProfile

class panos.network.OspfAuthProfile(*args, **kwargs)[source]

OSPF Authentication Profile

Parameters:
  • name (str) – Name of Auth Profile

  • type (str) – ‘password’ or ‘md5’

  • password (str) – The password if type is set to ‘password’. If type is set to ‘md5’, add a panos.network.OspfAuthProfileMd5

class panos.network.OspfAuthProfileMd5(*args, **kwargs)[source]

OSPF Authentication Profile

Parameters:
  • keyid (int) – Identifier for key

  • key (str) – The authentication key

  • preferred (bool) – This key is preferred

class panos.network.OspfExportRules(*args, **kwargs)[source]

OSPF Export Rules

Parameters:
  • name (str) – IP subnet or panos.network.RedistributionProfile

  • new_path_type (str) – New path type, ‘ext-1’ or ‘ext-2’ (Default: ext-2)

  • new_tag (str) – New tag (int or IP format)

  • metric (int) – Metric

class panos.network.OspfNeighbor(*args, **kwargs)[source]

OSPF Neighbor

Parameters:
  • name (str) – IP of neighbor

  • metric (int) – Metric

class panos.network.OspfNssaExternalRange(*args, **kwargs)[source]

OSPF NSSA External Range

Parameters:
  • name (str) – IP network with prefix

  • mode (str) – ‘advertise’ or ‘suppress’ (Default: advertise)

class panos.network.OspfRange(*args, **kwargs)[source]

OSPF Range

Parameters:
  • name (str) – IP network with prefix

  • mode (str) – ‘advertise’ or ‘suppress’ (Default: advertise)

class panos.network.PathMonitorDestination(*args, **kwargs)[source]

PathMonitorDestination Static Route

Parameters:
  • name (str) – Name of Path Monitor Destination

  • enable (bool) – Enable Path Monitor Destination

  • source (str) – Source ip of interface

  • destination (str) – Destination ip

  • interval (int) – Ping Interval (sec) (Default: 3)

  • count (int) – Ping count (Default: 5)

class panos.network.PhysicalInterface(*args, **kwargs)[source]

Absract base class for Ethernet and Aggregate Interfaces

Do not instantiate this object. Use a subclass.

set_zone(zone_name, mode=None, refresh=False, update=False, running_config=False, return_type='object')[source]

Set the zone for this interface

Creates a reference to this interface in the specified zone and removes references to this interface from all other zones. The zone will be created if it doesn’t exist.

Parameters:
  • zone_name (str) – The name of the Zone or a panos.network.Zone instance

  • mode (str) – The mode of the zone. See panos.network.Zone for possible values

  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)

  • update (bool) – Apply the changes to the device (Default: False)

  • running_config – If refresh is True, refresh from the running configuration (Default: False)

  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Zone in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Returns:

The zone for this interface after the operation completes

Return type:

Zone

class panos.network.RedistributionProfile(*args, **kwargs)[source]

Redistribution Profile

Parameters:
  • name (str) – Name of profile

  • priority (int) – Priority id

  • action (str) – ‘no-redist’ or ‘redist’

  • filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’

  • filter_interface (tuple) – Filter interface

  • filter_destination (tuple) – Filter destination

  • filter_nexthop (tuple) – Filter nexthop

  • ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2

  • ospf_filter_area (tuple) – OSPF filter on area

  • ospf_filter_tag (tuple) – OSPF filter on tag

  • bgp_filter_community (tuple) – BGP filter on community

  • bgp_filter_extended_community (tuple) – BGP filter on extended community

class panos.network.RedistributionProfileBase(*args, **kwargs)[source]

Redistribution Profile

Parameters:
  • name (str) – Name of profile

  • priority (int) – Priority id

  • action (str) – ‘no-redist’ or ‘redist’

  • filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’

  • filter_interface (tuple) – Filter interface

  • filter_destination (tuple) – Filter destination

  • filter_nexthop (tuple) – Filter nexthop

  • ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2

  • ospf_filter_area (tuple) – OSPF filter on area

  • ospf_filter_tag (tuple) – OSPF filter on tag

  • bgp_filter_community (tuple) – BGP filter on community

  • bgp_filter_extended_community (tuple) – BGP filter on extended community

class panos.network.RedistributionProfileIPv6(*args, **kwargs)[source]

Redistribution Profile

Parameters:
  • name (str) – Name of profile

  • priority (int) – Priority id

  • action (str) – ‘no-redist’ or ‘redist’

  • filter_type (tuple) – Any of ‘static’, ‘connect’, ‘rip’, ‘ospf’, or ‘bgp’

  • filter_interface (tuple) – Filter interface

  • filter_destination (tuple) – Filter destination

  • filter_nexthop (tuple) – Filter nexthop

  • ospf_filter_pathtype (tuple) – Any of ‘intra-area’, ‘inter-area’, ‘ext-1’, or ‘ext-2

  • ospf_filter_area (tuple) – OSPF filter on area

  • ospf_filter_tag (tuple) – OSPF filter on tag

  • bgp_filter_community (tuple) – BGP filter on community

  • bgp_filter_extended_community (tuple) – BGP filter on extended community

class panos.network.Rip(*args, **kwargs)[source]

Add to a panos.network.VirtualRouter instance.

Parameters:
  • enable (bool) – Enable RIP

  • reject_default_route (bool) – Reject default route

  • allow_redist_default_route (bool) – Allow Redistribute Default Route

  • delete_intervals (int) – Delete Intervals

  • expire_intervals (int) – Expire Intervals

  • interval_seconds (int) – Interval Seconds (sec)

  • update_intervals (int) – Update Intervals

  • global_bfd_profile (str) – Global BFD profile

class panos.network.RipAuthProfile(*args, **kwargs)[source]

Rip Authentication Profile

Parameters:
  • name (str) – Name of Auth Profile

  • auth_type (str) – ‘password’ or ‘md5’

  • password (str) – The password if auth_type is set to ‘password’. If auth_type is set to ‘md5’, add a panos.network.RipAuthProfileMd5

class panos.network.RipAuthProfileMd5(*args, **kwargs)[source]

Rip Authentication Profile

Parameters:
  • keyid (int) – Identifier for key

  • key (str) – The authentication key

  • preferred (bool) – This key is preferred

class panos.network.RipExportRule(*args, **kwargs)[source]

Rip Export Rules

Parameters:
class panos.network.RipInterface(*args, **kwargs)[source]

Rip Interface

Add to a panos.network.Rip instance.

Parameters:
  • name (str) – Interface name

  • enable (bool) – Enable

  • advertise_default_route – Advertise default route * advertise * disable

  • metric (int) – Default route metric. Requires {advertise_default_route: “advertise”}

  • auth_profile (str) – Auth profile name

  • mode (str) – Mode of RipInterface * normal (default) * passive * send-only

class panos.network.RoutingProfileBfd(*args, **kwargs)[source]

BFD profile

Parameters:
  • name (str) – The name

  • mode (str) – BFD operation mode

  • min_tx_interval (int) – Desired Minimum Tx Interval (ms)

  • min_rx_interval (int) – Required Minimum Rx Interval (ms)

  • detection_multiplier (int) – Detection Time Multiplier

  • hold_time (int) Hold Time (ms) –

  • min_received_ttl (int) – Minimum accepted TTL on received BFD packet

class panos.network.RoutingProfileBgpAddressFamily(*args, **kwargs)[source]

BGP address family profile

Parameters:
  • name (str) – The name of the profile

  • afi (str) – Address Family Identifier

  • unicast_enable (bool) – Enable IPv4/IPv6 Unicast Profile

  • unicast_soft_reconfig_with_stored_info (bool) – Soft reconfiguration of peer with stored routes

  • unicast_add_path_tx_all_paths (bool) – Advertise all paths to peer

  • unicast_add_path_tx_bestpath_per_as (bool) – Advertise the bestpath per each neighboring AS

  • unicast_as_override (bool) – Override ASNs in outbound updates if AS-Path equals Remote-A

  • unicast_default_originate (bool) – Originate Default Route

  • unicast_route_reflector_client (bool) – Route Reflector Client

  • unicast_allowas_in (str) – Accept my AS in AS_PATH if route originated in my AS

  • unicast_allowas_in_occurrence (int) – Number of occurrences of AS number

  • unicast_maximum_prefix_num_prefixes (int) – Max allowed prefixes from this peer

  • unicast_maximum_prefix_threshold (int) – Threshold value (%) at which to generate a warning msg

  • unicast_maximum_prefix_action (str) – Action if max-prefixes reached

  • unicast_maximum_prefix_action_restart_interval (int) – Restart connection when limit exceeded

  • unicast_next_hop (str) – Disable next-hop calculation

  • unicast_remove_private_as (str) – Remove private ASNs in outbound updates

  • unicast_send_community (str) – Send community attributes

  • unicast_orf (str) – Advertise ORF (Outbound Route Filtering) Capability

  • unicast_default_originate_map (str) – Default Originate Route-Map

  • multicast_enable (bool) – Enable IPv4 Multicast Profile

  • multicast_soft_reconfig_with_stored_info (bool) – Soft reconfiguration of peer with stored routes

  • multicast_add_path_tx_all_paths (bool) – Advertise all paths to peer

  • multicast_add_path_tx_bestpath_per_as (bool) – Advertise the bestpath per each neighboring AS

  • multicast_as_override (bool) – Override ASNs in outbound updates if AS-Path equals Remote-A

  • multicast_default_originate (bool) – Originate Default Route

  • multicast_route_reflector_client (bool) – Route Reflector Client

  • multicast_allowas_in (str) – Accept my AS in AS_PATH if route originated in my AS

  • multicast_allowas_in_occurrence (int) – Number of occurrences of AS number

  • multicast_maximum_prefix_num_prefixes (int) – Max allowed prefixes from this peer

  • multicast_maximum_prefix_threshold (int) – Threshold value (%) at which to generate a warning msg

  • multicast_maximum_prefix_action (str) – Action if max-prefixes reached

  • multicast_maximum_prefix_action_restart_interval (int) – Restart connection when limit exceeded

  • multicast_next_hop (str) – Disable next-hop calculation

  • multicast_remove_private_as (str) – Remove private ASNs in outbound updates

  • multicast_send_community (str) – Send community attributes

  • multicast_orf (str) – Advertise ORF (Outbound Route Filtering) Capability

  • multicast_default_originate_map (str) – Default Originate Route-Map

class panos.network.RoutingProfileBgpAuth(*args, **kwargs)[source]

BGP authentication profile

Parameters:
  • name (str) – The name of the profile

  • secret (str) – Shared secret for the TCP MD5 authentication

class panos.network.RoutingProfileBgpDampening(*args, **kwargs)[source]

BGP dampening profile

Parameters:
  • name (str) – The name of the profile

  • description (str) – Description of the BGP Dampening Profile

  • half_life (int) – Half-life for the penalty

  • reuse_limit (int) – Value to start reusing a route

  • suppress_limit (int) – Value to start supressing the route

  • max_suppress_limit (int) – Maximum duration (in minutes) a route can be suppressed

class panos.network.RoutingProfileBgpFiltering(*args, **kwargs)[source]

BGP filtering profile

Parameters:
  • name (str) – The name of the profile

  • description (str) – Description of the profile

  • afi (str) – Address Family Identifier

class panos.network.RoutingProfileBgpRedistribution(*args, **kwargs)[source]

BGP redistribution profile

Parameters:
  • name (str) – The name of the profile

  • afi (str) – Address Family Identifier

  • static_enable (bool) – Enable Static Routes

  • static_metric (int) – Static Metric (Field ignored if route-map configured)

  • connected_enable (bool) – Enable Connected Routes

  • connected_metric (int) – Connected Metric (Field ignored if route-map configured)

  • ospf_enable (bool) – Enable OSPF Routes (only for IPv4)

  • ospf_metric (int) – OSPF Metric (Field ignored if route-map configured)

  • ospfv3_enable (bool) – Enable OSPFv3 Routes (only for IPv6)

  • ospfv3_metric (int) – OSPFv3 Metric (Field ignored if route-map configured)

  • rip_enable (bool) – Enable RIP Routes

  • rip_metric (int) – RIP Metric (Field ignored if route-map configured)

class panos.network.RoutingProfileBgpTimer(*args, **kwargs)[source]

BGP timer profile

Parameters:
  • name (str) – The name of the profile

  • keep_alive_interval (int) – Keep-alive interval

  • hold_time (int) – Hold time

  • reconnect_retry_interval (int) – Wait in the connect state before retrying connection to the peer

  • open_delay_time (int) – Delay time after peer TCP connection up and sending 1st BGP Open Message

  • min_route_adv_interval (int) – Minimum Route Advertisement Interval

class panos.network.RoutingProfileFilterAccessList(*args, **kwargs)[source]

Filter Access List

Parameters:
  • name (str) – The name of the access list

  • description (str) – Description of the access list

  • type (str) – IPv4 or IPv6

class panos.network.RoutingProfileFilterAccessListEntryIpv4(*args, **kwargs)[source]

Filter Access List - IPv4 entry

Parameters:
  • name (str) – The name of the entry

  • action (str) – Deny or permit action

  • source_address_type (str) – IPv4 Access-List Source Address (none, any, address)

  • source_address (str) – IPv4 Source Address

  • source_wildcard (str) – IPv4 Source Wildcard

  • destination_address_type (str) – IPv4 Access-List Destination Address (none, any, address)

  • destination_address (str) – IPv4 Destination Address

  • destination_wildcard (str) – IPv4 Destination Wildcard

class panos.network.RoutingProfileFilterAccessListEntryIpv6(*args, **kwargs)[source]

Filter Access List - IPv6 entry

Parameters:
  • name (str) – The name of the entry

  • action (str) – Deny or permit action

  • source_address_type (str) – IPv6 Access-List Source Address (none, any, address)

  • source_address (str) – IPv6 Source Address

  • source_exact_match (bool) – Exact Match of this address

class panos.network.RoutingProfileFilterAsPathAccessList(*args, **kwargs)[source]

Filter AS-Path Access List

Parameters:
  • name (str) – The name of the profile

  • description (str) – Description of the AS path access list

class panos.network.RoutingProfileFilterAsPathAccessListEntry(*args, **kwargs)[source]

Filter AS-Path Access List - entry

Parameters:
  • name (str) – The name of the AS-Path access list

  • action (str) – Deny or permit action

  • aspath_regex (str) – Regular-expression (1234567890_^|[,{}()]$*+.?-) to match the BGP AS path

class panos.network.RoutingProfileFilterCommunityList(*args, **kwargs)[source]

Filter Community List

Parameters:
  • name (str) – The name of the community list

  • description (str) – Description of the community list

  • type (str) – Community list entries type

class panos.network.RoutingProfileFilterCommunityListEntryExtended(*args, **kwargs)[source]

Filter Community List - extended entry

Parameters:
  • name (str) – The name of the entry

  • action (str) – Permit or Deny (default) this Extended Community-List Entry

  • ec_regex (list) – Specify Extended Community regular expression format {regex1:regex2}

class panos.network.RoutingProfileFilterCommunityListEntryLarge(*args, **kwargs)[source]

Filter Community List - large entry

Parameters:
  • name (str) – The name of the entry

  • action (str) – Permit or Deny (default) this Large Community-List Entry

  • lc_regex (list) – Specify Large Community regular expression format {regex1:regex2:regex3}

class panos.network.RoutingProfileFilterCommunityListEntryRegular(*args, **kwargs)[source]

Filter Community List - regular entry

Parameters:
  • name (str) – The name of the entry

  • action (str) – Permit or Deny (default) this Regular Community-List Entry

  • community (list) – Specify Community either using number in AA:NN format (where AA and NN are between (0-65535)) or pre-defined value

class panos.network.RoutingProfileFilterPrefixList(*args, **kwargs)[source]

Filter Prefix List

Parameters:
  • name (str) – The name of the prefix list

  • description (str) – Description of the prefix list

  • type (str) – IPv4 or IPv6

class panos.network.RoutingProfileFilterPrefixListEntryIpv4(*args, **kwargs)[source]

Filter Prefix List - IPv4 entry

Parameters:
  • name (str) – The name of the entry

  • action (str) – Deny or permit action

  • prefix (str) – IPv4 prefix list network (none, any, network)

  • network (str) – IPv4 prefix

  • greater_than_or_equal (int) – Maximum Prefix length to be matched

  • less_than_or_equal (int) – Minimum Prefix length to be matched

class panos.network.RoutingProfileFilterPrefixListEntryIpv6(*args, **kwargs)[source]

Filter Prefix List - IPv6 entry

Parameters:
  • name (str) – The name of the entry

  • action (str) – Deny or permit action

  • prefix (str) – IPv4 prefix list network (none, any, network)

  • network (str) – IPv4 prefix

  • greater_than_or_equal (int) – Maximum Prefix length to be matched

  • less_than_or_equal (int) – Minimum Prefix length to be matched

class panos.network.RoutingProfileFilterRouteMaps(*args, **kwargs)[source]

Filter BGP Route-Maps

Parameters:
  • name (str) – The name of BGP route map

  • description (str) – BGP route map description

class panos.network.RoutingProfileFilterRouteMapsEntry(*args, **kwargs)[source]

Filter BGP Route-Maps - entry

Parameters:
  • name (str) – The name of the entry

  • action (str) – Permit or Deny (default) route map

  • description (str) – Description of route map

  • match_as_path_access_list (str) – AS Path Access List Name

  • match_regular_community (str) – Regular Community Name

  • match_large_community (str) – Large Community Name

  • match_extended_community (str) – Extended Community Name

  • match_interface (str) – Match Interface of the route

  • match_origin (str) – Match origin

  • match_metric (str) – Match Metric (BGP MED) of route

  • match_tag (str) – Match Tag of route

  • match_local_preference (str) – “Match Local Preference of route

  • match_peer (str) – Match Peer Address

  • match_ipv4_address_access_list (str) – Match IPv4 Route - Route Access-List

  • match_ipv4_address_prefix_list (str) – Match IPv4 Route - Route Prefix-List

  • match_ipv4_next_hop_access_list (str) – Match IPv4 Next-Hop of Route - Access-List

  • match_ipv4_next_hop_prefix_list (str) – Match IPv4 Next-Hop of Route - Prefix-List

  • match_ipv4_route_source_access_list (str) – Match IPv4 Advertising Source Address of route - Access-List

  • match_ipv4_route_source_prefix_list (str) – Match IPv4 Advertising Source Address of route - Prefix-List

  • match_ipv6_address_access_list (str) – Match IPv6 Route - Route Access-List

  • match_ipv6_address_prefix_list (str) – Match IPv6 Route - Route Prefix-List

  • match_ipv6_next_hop_access_list (str) – Match IPv6 Next-Hop of Route - Access-List

  • match_ipv6_next_hop_prefix_list (str) – Match IPv6 Next-Hop of Route - Prefix-List

  • set_aggregator_as (str) – Set Aggregator AS Number

  • set_aggregator_router_id (str) – Set Aggregator Router ID

  • set_tag (str) – Set Tag of route

  • set_local_preference (str) – Set Local Preference of route

  • set_weight (str) – Set BGP weight of the route

  • set_origin (str) – Set BGP origin

  • set_atomic_aggregate (bool) – Enable BGP atomic aggregate

  • set_metric_action (str) – Set Metric action

  • set_metric_value (str) – Set Metric value (BGP MED) of route

  • set_originator_id (str) – Set BGP Originator Id

  • set_ipv4_source_address (str) – Source IPv4 Address

  • set_ipv4_next_hop (str) – IPv4 Next-Hop Address

  • set_ipv6_source_address (str) – Source IPv6 Address

  • set_ipv6_next_hop (str) – IPv6 Next-Hop Address

  • set_ipv6_next_hop_prefer_global (bool) – IPv6 Nexthop Prefer Global Address

  • set_overwrite_regular_community (bool) – If enabled, set community will overwite existing communities, instead of appending

  • set_overwrite_large_community (bool) – If enabled, set community will overwite existing large communities, instead of appending

  • set_remove_regular_community (str) – Remove Regular Community Name

  • set_remove_large_community (str) – Remove Large Community Name

  • set_aspath_exclude (list) – Remove BGP AS-Path Attribute

  • set_aspath_prepend (list) – Prepend BGP AS-Path Attribute

  • set_regular_community (list) – Regular Community either using number in AA:NN format (where AA and NN are between (0-65535)) or pre-defined value

  • set_large_community (list) – Large Community in AA:BB:CC format (where AA, BB and CC are between (0-4294967295))

class panos.network.RoutingProfileFilterRouteMapsRedistribution(*args, **kwargs)[source]

Filter BGP Route-Maps Redistribution

Parameters:
  • name (str) – The name of BGP route map redistribution

  • description (str) – BGP route map description redistribution

class panos.network.RoutingProfileOspfAuth(*args, **kwargs)[source]

OSPF authentication profile

Parameters:
  • name (str) – The name of the profile

  • password (str) – Simple password authentication

class panos.network.RoutingProfileOspfIfTimer(*args, **kwargs)[source]

OSPF interface timer profile

Parameters:
  • name (str) – The name of the profile

  • hello_interval (int) – Interval (in seconds) to send Hello packets

  • dead_counts (int) – Number of lost hello packets to declare router down

  • retransmit_interval (int) – Interval (in seconds) to retransmit LSAs

  • transit_delay (int) – Estimated delay (in seconds) to transmit LSAs

  • gr_delay (int) – Period (in seconds) used to send grace LSAs before first hello is sent when graceful restart starts

class panos.network.RoutingProfileOspfRedistribution(*args, **kwargs)[source]

OSPF redistribution profile

Parameters:
  • name (str) – The name of the profile

  • static (str) – IPv4 static section

  • static_enable (bool) – IPv4 static enabled

  • static_metric (int) – IPv4 static metric value (1-65535)

  • static_metric_type (str) – IPv4 static metric type (type-1, type-2)

  • connected (str) – Connected section

  • connected_enable (bool) – Connected enabled

  • connected_metric (int) – Connected metric value (1-65535)

  • connected_metric_type (str) – Connected metric type (type-1, type-2)

  • rip (str) – RIPv2 section

  • rip_enable (bool) – RIPv2 enabled

  • rip_metric (int) – RIPv2 metric value (1-65535)

  • rip_metric_type (str) – RIPv2 metric type (type-1, type-2)

  • bgp (str) – BGP AFI IPv4 section

  • bgp_enable (bool) – BGP AFI IPv4 enabled

  • bgp_metric (int) – BGP AFI IPv4 metric value (1-65535)

  • bgp_metric_type (str) – BGP AFI IPv4 metric type (type-1, type-2)

  • default_route (str) – IPv4 Default Route section

  • default_route_always (bool) – IPv4 Default Route always

  • default_route_enable (bool) – IPv4 Default Route enabled

  • default_route_metric (int) – IPv4 Default Route metric value (1-65535)

  • default_route_metric_type (str) – IPv4 Default Route metric type (type-1, type-2)

class panos.network.RoutingProfileOspfSpfTimer(*args, **kwargs)[source]

OSPF global timer profile

Parameters:
  • name (str) – The name of the profile

  • lsa_interval (int) – The minimum time in seconds between distinct originations of any particular LSA

  • spf_calculation_delay (int) – Delay in seconds before running the SPF algorithm

  • initial_hold_time (int) – Initial hold time (second) between consecutive SPF calculations

  • max_hold_time (int) – Maximum hold time (second)

class panos.network.RoutingProfileOspfv3Auth(*args, **kwargs)[source]

OSPFv3 authentication profile

Parameters:
  • name (str) – The name of the profile

  • spi (str) – SPI for both inbound and outbound SA, hex format xxxxxxxx.

  • protocol (str) – Protocol ESP or AH

  • esp_auth_type (str) – ESP options - Authentication type

  • esp_auth_key (str) – ESP options - Authentication key

  • esp_encrypt_algorithm (str) – ESP options - Encryption algorithm

  • esp_encrypt_key (str) – ESP options - Encryption key

  • ah_type (str) – AH options - type

  • ah_key (str) – AH options - key

class panos.network.RoutingProfileOspfv3IfTimer(*args, **kwargs)[source]

OSPFv3 interface timer profile

Parameters:
  • name (str) – The name of the profile

  • hello_interval (int) – Interval (in seconds) to send Hello packets

  • dead_counts (int) – Number of lost hello packets to declare router down

  • retransmit_interval (int) – Interval (in seconds) to retransmit LSAs

  • transit_delay (int) – Estimated delay (in seconds) to transmit LSAs

  • gr_delay (int) – Period (in seconds) used to send grace LSAs before first hello is sent when graceful restart starts

class panos.network.RoutingProfileOspfv3Redistribution(*args, **kwargs)[source]

OSPFv3 redistribution profile

Parameters:
  • name (str) – The name of the profile

  • static (str) – IPv4 static section

  • static_enable (bool) – IPv4 static enabled

  • static_metric (int) – IPv4 static metric value (1-65535)

  • static_metric_type (str) – IPv4 static metric type (type-1, type-2)

  • connected (str) – Connected section

  • connected_enable (bool) – Connected enabled

  • connected_metric (int) – Connected metric value (1-65535)

  • connected_metric_type (str) – Connected metric type (type-1, type-2)

  • bgp (str) – BGP AFI IPv4 section

  • bgp_enable (bool) – BGP AFI IPv4 enabled

  • bgp_metric (int) – BGP AFI IPv4 metric value (1-4294967295)

  • bgp_metric_type (str) – BGP AFI IPv4 metric type (type-1, type-2)

  • default_route (str) – IPv6 Default Route section

  • default_route_always (bool) – IPv6 Default Route always

  • default_route_enable (bool) – IPv6 Default Route enabled

  • default_route_metric (int) – IPv6 Default Route metric value (1-4294967295)

  • default_route_metric_type (str) – IPv6 Default Route metric type (type-1, type-2)

class panos.network.RoutingProfileOspfv3SpfTimer(*args, **kwargs)[source]

OSPFv3 global timer profile

Parameters:
  • name (str) – The name of the profile

  • lsa_interval (int) – The minimum time in seconds between distinct originations of any particular LSA

  • spf_calculation_delay (int) – Delay in seconds before running the SPF algorithm

  • initial_hold_time (int) – Initial hold time (second) between consecutive SPF calculations

  • max_hold_time (int) – Maximum hold time (second)

class panos.network.StaticMac(*args, **kwargs)[source]

Static MAC address for a Vlan

Can be added to a panos.network.Vlan object

Parameters:
  • mac (str) – The MAC address

  • interface (str) – Name of an interface

class panos.network.StaticRoute(*args, **kwargs)[source]

Static Route

Add to a panos.network.VirtualRouter instance.

Parameters:
  • name (str) – The name

  • destination (str) – Destination network

  • nexthop_type (str) – ip-address, discard, or next-vr

  • nexthop (str) – Next hop IP address or Next VR Name

  • interface (str) – Next hop interface

  • admin_dist (str) – Administrative distance

  • metric (int) – Metric (Default: 10)

  • enable_path_monitor (bool) – Enable Path Monitor

  • failure_condition (str) – Path Monitor failure condition set ‘any’ or ‘all’

  • preemptive_hold_time (int) – Path Monitor Preemptive Hold Time in minutes

class panos.network.StaticRouteV6(*args, **kwargs)[source]

IPV6 Static Route

Add to a panos.network.VirtualRouter instance.

Parameters:
  • name (str) – The name

  • destination (str) – Destination network

  • nexthop_type (str) – ip-address or discard

  • nexthop (str) – Next hop IP address

  • interface (str) – Next hop interface

  • admin_dist (str) – Administrative distance

  • metric (int) – Metric (Default: 10)

  • enable_path_monitor (bool) – Enable Path Monitor

  • failure_condition (str) – Path Monitor failure condition set ‘any’ or ‘all’

  • preemptive_hold_time (int) – Path Monitor Preemptive Hold Time in minutes

class panos.network.Subinterface(*args, **kwargs)[source]

Subinterface class

Do not instantiate this object. Use a subclass.

set_name()[source]

Create a name appropriate for a subinterface if it isn’t already

class panos.network.TunnelInterface(*args, **kwargs)[source]

Tunnel interface

Parameters:
  • name (str) – The name

  • ip (tuple) – Interface IPv4 addresses

  • ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)

  • management_profile (ManagementProfile) – Interface Management Profile

  • mtu (int) – MTU for interface

  • netflow_profile (str) – Netflow profile

  • comment (str) – The interface’s comment

class panos.network.VirtualRouter(*args, **kwargs)[source]

Virtual router

Parameters:
  • name (str) – Name of virtual router (Default: “default”)

  • interface (list) – List of interface names

  • ad_static (int) – Administrative distance for this protocol

  • ad_static_ipv6 (int) – Administrative distance for this protocol

  • ad_ospf_int (int) – Administrative distance for this protocol

  • ad_ospf_ext (int) – Administrative distance for this protocol

  • ad_ospfv3_int (int) – Administrative distance for this protocol

  • ad_ospfv3_ext (int) – Administrative distance for this protocol

  • ad_ibgp (int) – Administrative distance for this protocol

  • ad_ebgp (int) – Administrative distance for this protocol

  • ad_rip (int) – Administrative distance for this protocol

class panos.network.VirtualWire(*args, **kwargs)[source]

Virtual wires (vwire)

Parameters:
  • name (str) – The vwire name

  • tag (int) – Tag for the interface, aka vlan id

  • interface1 (str) – The first interface to use

  • interface2 (str) – The second interface to use

  • multicast (bool) – Enable multicast firewalling or not

  • pass_through (bool) – Enable link state pass through or not

class panos.network.Vlan(*args, **kwargs)[source]
Parameters:
  • name (str) – The name

  • interface (list) – List of interface names

  • virtual_interface (VlanInterface) – The layer3 vlan interface for this vlan

class panos.network.VlanInterface(*args, **kwargs)[source]

Vlan interface

Parameters:
  • name (str) – Interface name

  • ip (tuple) – Interface IPv4 addresses

  • ipv6_enabled (bool) – IPv6 Enabled (requires IPv6Address child object)

  • management_profile (ManagementProfile) – Interface Management Profile

  • mtu (int) – MTU for interface

  • adjust_tcp_mss (bool) – Adjust TCP MSS

  • netflow_profile (str) – Netflow profile

  • comment (str) – The interface’s comment

  • ipv4_mss_adjust (int) – TCP MSS adjustment for ipv4

  • ipv6_mss_adjust (int) – TCP MSS adjustment for ipv6

  • enable_dhcp (bool) – Enable DHCP on this interface

  • create_dhcp_default_route (bool) – Create default route pointing to default gateway provided by server

  • dhcp_default_route_metric (int) – Metric for the DHCP default route

set_vlan_interface(vlan_name, refresh=False, update=False, running_config=False, return_type='object')[source]

Sets the VLAN’s VLAN interface to this VLAN interface

Creates a reference to this interface in the specified vlan and removes references to this interface from all other VLANs. The vlan will be created if it doesn’t exist.

Parameters:
  • vlan_name (str) – The name of the vlan or a panos.network.Vlan instance

  • refresh (bool) – Refresh the relevant current state of the device before taking action (Default: False)

  • update (bool) – Apply the changes to the device (Default: False)

  • running_config – If refresh is True, refresh from the running configuration (Default: False)

  • return_type (str) – Specify what this function returns, can be either ‘object’ (the default) or ‘bool’. If this is ‘object’, then the return value is the Vlan in question. If this is ‘bool’, then the return value is a boolean that tells you about if the live device needs updates (update=False) or was updated (update=True).

Returns:

The VLAN for this interface after the operation completes

Return type:

Vlan

class panos.network.Vrf(*args, **kwargs)[source]

VRF

Parameters:
  • name (str) – Name of VRF

  • interface (list) – List of interface names

  • ad_static (int) – Administrative distance for this protocol

  • ad_static_ipv6 (int) – Administrative distance for this protocol

  • ad_ospf_inter (int) – Administrative distance for this protocol

  • ad_ospf_intra (int) – Administrative distance for this protocol

  • ad_ospf_ext (int) – Administrative distance for this protocol

  • ad_ospfv3_inter (int) – Administrative distance for this protocol

  • ad_ospfv3_intra (int) – Administrative distance for this protocol

  • ad_ospfv3_ext (int) – Administrative distance for this protocol

  • ad_bgp_internal (int) – Administrative distance for this protocol

  • ad_bgp_external (int) – Administrative distance for this protocol

  • ad_bgp_local (int) – Administrative distance for this protocol

  • ad_rip (int) – Administrative distance for this protocol

  • bgp_enable (bool) – Enable BGP

  • bgp_router_id (str) – Router id of this BGP instance

  • bgp_local_as (str) – Local AS number

  • bgp_install_route (bool) – Populate BGP learned route to global route table

  • bgp_enforce_first_as (bool) – Enforce First AS

  • bgp_fast_external_failover (bool) – Immediately reset session if a link to a directly connected external peer goes down

  • bgp_ecmp_multi_as (bool) – Support multiple AS in ECMP

  • bgp_default_local_preference (int) – Global Default Local Preference

  • bgp_graceful_shutdown (bool) – Gracefully Shutdown BGP following RFC-8326

  • bgp_always_advertise_network_route (bool) – Always advertise network routes even if not present in RIB

  • bgp_med_always_compare_med (bool) – Always compare MEDs

  • bgp_med_deterministic_med_comparison (bool) – Deterministic MEDs comparison

  • bgp_graceful_restart_enable (bool) – Graceful-restart options enabled

  • bgp_graceful_restart_stale_route_time (int) – Time to remove stale routes after peer restart

  • bgp_graceful_max_peer_restart_time (int) – Maximum of peer restart time accepted

  • bgp_graceful_local_restart_time (int) – Local restart time to advertise to peer

  • bgp_global_bfd (str) – BGP Global BFD Profile

  • bgp_redistribution_profile_ipv4_unicast (str) – IPv4 Redistribution Profile

  • bgp_redistribution_profile_ipv6_unicast (str) – IPv6 Redistribution Profile

  • ospf_enable (bool) – Enable OSPF (Default: True)

  • ospf_router_id (str) – Router ID in IP format (eg. 1.1.1.1)

  • ospf_global_bfd (str) – OSPF Global BFD Profile

  • ospf_spf_timer (str) – SPF timer setting

  • ospf_global_if_timer (str) – Global protocol timer setting

  • ospf_redistribution_profile (str) – Redistribution profile setting

  • ospf_rfc1583 (bool) – RFC 1583 compatibility

  • ospf_graceful_restart_enable (bool) – Enable OSPF graceful restart

  • ospf_graceful_restart_grace_period (int) – Graceful restart period

  • ospf_graceful_restart_helper_enable (bool) – Graceful restart helper enable

  • ospf_graceful_restart_strict_lsa_checking (bool) – Graceful restart strict lsa checking

  • ospf_graceful_restart_max_neighbor_restart_time (int) – Graceful restart neighbor restart time

  • ospfv3_enable (bool) – Enable OSPFv3 (Default: True)

  • ospfv3_router_id (str) – Router ID in IP format (eg. 1.1.1.1)

  • ospfv3_global_bfd (str) – OSPFv3 Global BFD Profile

  • ospfv3_spf_timer (str) – SPF timer setting

  • ospfv3_global_if_timer (str) – Global protocol timer setting

  • ospfv3_redistribution_profile (str) – Redistribution profile setting

  • ospfv3_disable_transit_traffic (bool) – Disable R-Bit and v6-Bit

  • ospfv3_graceful_restart_enable (bool) – Enable OSPFv3 graceful restart

  • ospfv3_graceful_restart_grace_period (int) – Graceful restart period

  • ospfv3_graceful_restart_helper_enable (bool) – Graceful restart helper enable

  • ospfv3_graceful_restart_strict_lsa_checking (bool) – Graceful restart strict lsa checking

  • ospfv3_graceful_restart_max_neighbor_restart_time (int) – Graceful restart neighbor restart time

  • rib_filter_ipv4_static (str) – IPv4 static route map

  • rib_filter_ipv4_bgp (str) – IPv4 BGP route map

  • rib_filter_ipv4_ospf (str) – IPv4 OSPF route map

  • rib_filter_ipv6_static (str) – IPv6 static route map

  • rib_filter_ipv6_bgp (str) – IPv6 BGP route map

  • rib_filter_ipv6_ospfv3 (str) – IPv6 OSPFv3 route map

  • ecmp_enable (bool) – Enable Equal Cost Multipath

  • ecmp_symmetric_return (bool) – Allows return packets to egress out of the ingress interface of the flow

  • ecmp_strict_source_path (bool) – Force VPN traffic to exit interface that the source-ip belongs to

  • ecmp_max_path (int) – Maxmum number of ECMP paths supported, change this configuration will result in a virtual router restart

  • ecmp_algorithm (str) – Load balancing algorithm

  • ecmp_algorithm_src_only (bool) – Only use source address for hash

  • ecmp_algorithm_use_port (bool) – Use source/destination port for hash

  • ecmp_algorithm_hash_seed (int) – User-specified hash seed

class panos.network.VrfBgpPeer(*args, **kwargs)[source]

VRF BGP peer

Parameters:
  • name (str) – Name of the BGP peer

  • enable (bool) – Enable BGP peer

  • passive (bool) – If enabled, open messages are not sent to this peer

  • peer_as (int) – Peer AS number

  • enable_sender_side_loop_detection (bool) – Enable Sender Side Loop Detection

  • local_address_interface (str) – Interface to accept BGP session

  • local_address_ip (str) – Specify exact IP address if interface has multiple addresses

  • peer_address_type (str) – Peer address configuration

  • peer_address_value (str) – IP or FQDN

  • bfd_profile (str) – BFD profile

class panos.network.VrfBgpPeerGroup(*args, **kwargs)[source]

VRF BGP peer group

Parameters:
  • name (str) – Name of the BGP peer group

  • enable (bool) – Enabled BGP peer group

  • type (str) – Type of BGP peer group

  • address_family_ipv4 (str) – IPv4 Address Family

  • address_family_ipv6 (str) – IPv6 Address Family

  • filtering_profile_ipv4 (str) – IPv4 Filtering Profile

  • filtering_profile_ipv6 (str) – IPv6 Filtering Profile

  • connection_options_timers (str) – Timer Profile Name

  • connection_options_multihop (int) – Multi-hop value

  • connection_options_authentication (str) – Authentication Profile Name

  • connection_options_dampening (str) – Dampening Profile Name

class panos.network.VrfEcmpInterfaceWeight(*args, **kwargs)[source]

VRF ECMP interface and weight

Parameters:
  • name (str) – Interface name

  • weight (int) – Interface ECMP weight

class panos.network.VrfOspfArea(*args, **kwargs)[source]

VRF OSPF area

Parameters:
  • name (str) – The name

  • authentication (str) – Authentication profile name

  • type (str) – Area type

  • import_list (str) – Import list

  • export_list (str) – Export list

  • inbound_filter_list (str) – Inbound filter list

  • outbound_filter_list (str) – Outbound filter list

  • no_summary (bool) – No summary

  • metric (int) – Metric value

  • metric_type (str) – Metric type

class panos.network.VrfOspfAreaInterface(*args, **kwargs)[source]

VRF OSPF area interface

Parameters:
  • name (str) – Interface name

  • enable (bool) – Enable OSPF on this interface

  • mtu_ignore (bool) – Ignore mtu when try to establish adjacency

  • passive (bool) – “Suppress the sending of hello packets in this interface

  • priority (int) – Priority for OSPF designated router selection

  • link_type (str) – Link Type

  • metric (int) – Cost of OSPF interface

  • authentication (str) – Authentication options

  • bfd_profile (str) – BFD profile

  • timing (str) – Protocol timer setting

class panos.network.VrfOspfAreaRange(*args, **kwargs)[source]

VRF OSPF area range

Parameters:
  • name (str) – IP Address/Netmask

  • substitute (str) – Substitute network/prefix

  • advertise (bool) – Do summarization and advertise

VRF OSPF area virtual link

Parameters:
  • name (str) – Virtual link name

  • enable (bool) – Enable this virtual link

  • neighbor_id (str) – Neighbor router id for virtual link

  • transit_area_id (str) – ID of transit area, cannot be backbone, stub or NSSA

  • timing (str) – Timer profile

  • authentication (str) – Authentication options

class panos.network.VrfOspfv3Area(*args, **kwargs)[source]

VRF OSPFv3 area

Parameters:
  • name (str) – The name

  • authentication (str) – Authentication profile name

  • type (str) – Area type

  • import_list (str) – Import list

  • export_list (str) – Export list

  • inbound_filter_list (str) – Inbound filter list

  • outbound_filter_list (str) – Outbound filter list

  • no_summary (bool) – No summary

  • metric (int) – Metric value

  • metric_type (str) – Metric type

class panos.network.VrfOspfv3AreaInterface(*args, **kwargs)[source]

VRF OSPF area interface

Parameters:
  • name (str) – Interface name

  • enable (bool) – Enable OSPF on this interface

  • mtu_ignore (bool) – Ignore mtu when try to establish adjacency

  • passive (bool) – “Suppress the sending of hello packets in this interface

  • priority (int) – Priority for OSPF designated router selection

  • link_type (str) – Link Type

  • metric (int) – Cost of OSPF interface

  • instance_id (str) – OSPFv3 instance ID

  • authentication (str) – Authentication options

  • bfd_profile (str) – BFD profile

  • timing (str) – Protocol timer setting

class panos.network.VrfOspfv3AreaRange(*args, **kwargs)[source]

VRF OSPFv3 area range

Parameters:
  • name (str) – IP Address/Netmask

  • substitute (str) – Substitute network/prefix

  • advertise (bool) – Do summarization and advertise

VRF OSPF area virtual link

Parameters:
  • name (str) – Virtual link name

  • enable (bool) – Enable this virtual link

  • neighbor_id (str) – Neighbor router id for virtual link

  • transit_area_id (str) – ID of transit area, cannot be backbone, stub or NSSA

  • timing (str) – Timer profile

  • authentication (str) – Authentication options

class panos.network.VrfStaticRoute(*args, **kwargs)[source]

VRF Static Route

Add to a panos.network.Vrf instance.

Parameters:
  • name (str) – The name

  • destination (str) – Destination network

  • nexthop_type (str) – ip-address, discard, or next-vr

  • nexthop (str) – Next hop IP address or Next VR Name

  • interface (str) – Next hop interface

  • admin_dist (str) – Administrative distance

  • metric (int) – Metric (Default: 10)

  • enable_path_monitor (bool) – Enable Path Monitor

  • failure_condition (str) – Path Monitor failure condition set ‘any’ or ‘all’

  • preemptive_hold_time (int) – Path Monitor Preemptive Hold Time in minutes

  • bfd_profile (str) – Name of the BRF profile

class panos.network.VrfStaticRouteV6(*args, **kwargs)[source]

VRF Static Route IPv6

Add to a panos.network.Vrf instance.

Parameters:
  • name (str) – The name

  • destination (str) – Destination network

  • nexthop_type (str) – ip-address, discard, or next-vr

  • nexthop (str) – Next hop IP address or Next VR Name

  • interface (str) – Next hop interface

  • admin_dist (str) – Administrative distance

  • metric (int) – Metric (Default: 10)

  • enable_path_monitor (bool) – Enable Path Monitor

  • failure_condition (str) – Path Monitor failure condition set ‘any’ or ‘all’

  • preemptive_hold_time (int) – Path Monitor Preemptive Hold Time in minutes

  • bfd_profile (str) – Name of the BRF profile

class panos.network.Zone(*args, **kwargs)[source]

Security zone

Parameters:
  • name (str) – Name of the zone

  • mode (str) – The mode of the security zone. Must match the mode of the interface. Possible values: tap, virtual-wire, layer2, layer3, external

  • interface (list) – List of interface names or instantiated subclasses of panos.network.Interface.

  • zone_profile (str) – Zone protection profile

  • log_setting (str) – Log forwarding setting

  • enable_user_identification (bool) – If user identification is enabled

  • include_acl (list/str) – User identification ACL include list

  • exclude_acl (list/str) – User identification ACL exclude list

  • enable_packet_buffer_protection (bool) – (PAN-OS 8.0+) Enable packet buffer protection

  • enable_device_identification (bool) – (PAN-OS 10.0+) Enable device identification

  • device_include_acl (list) – (PAN-OS 10.0+) Device include ACLs list

  • device_exclude_acl (list) – (PAN-OS 10.0+) Device exclude ACLs list

panos.network.interface(name, *args, **kwargs)[source]

Interface object factory

Creates an interface object of type determined by the name of the interface.

Parameters:
  • name (str) – Name of the interface to create (eg. ethernet1/1.5)

  • mode (str) – Mode of the interface. Possible values: layer3, layer2, virtual-wire, tap, ha, aggregate-group. Default: None

Keyword Arguments:

tag (int) – Tag for the interface, aka vlan id

Returns:

An instantiated subclass of panos.network.Interface

Return type:

Interface