Home > Palo Alto > Palo Alto – Bulk rule editing via API and scripting

Palo Alto – Bulk rule editing via API and scripting

Perhaps all serious admins of Palo Alto firewalls have heard about the REST API that PAN provides with their firewalls. Not all of them have tried to automate their work though :).

You may not need to work with API on a daily basis to perform routine firewall changes but if you happen to get involved with firewall migrations, bulk network changes and the like then the API is a must have!

I absolutely love it. You may actually be not very good at scripting but rest assured that the bicycle of PAN API scripting has already been invited for you. The bicycle is called PAN-Configurator and you can get it from GitHub. If the link ever changes the new one is likely to be referenced on PAN web site here.

PAN-configurator is a PHP library aimed to free you from XML as such (the native format of PAN firewalls’ configuration) and focus on the actual configuration tasks. Apart from various classes and functions the library contains a number of ready to use scripts which you can call from your own scripts and batch files.

High level sequence of steps to get started with PAN-configurator is as follows:

  1. Create a new Admin role for XML API (I would not recommend to allow Commit for this role)
  2. Create a new user and assign it the role above
  3. Generate API key


  4. Now you can use the key to make API calls from your scripts or to run the scripts from PAN-Configurator.

One of the most useful scripts withing PAN-configurator is the rules-edit.php

To use it you basically need to:

  1. define input mode – you can make changes to the candidate config directly on the firewall or you can export running-config from your firewall, work with that file offline and then import it back on to the firewall and commit the changes;
  2. define filter – this is how you define what firewall rules your change will be applied to; definition of filters is very similar to filters in firewall GUI
  3. define action – this is actually what to do with the rules which were selected by the filter

Here are some examples (taken from the PAN web page referenced above):

rules-edit.php in=api://fw1.mycompany.com actions=enableLogStart "filter=(to has dmz) and (dst has.only Webfarms)"

rules-edit.php in=config.xml actions=service-Set-AppDefault "filter=!(app is.any) and (service is.any)"

It’s worth noting that you may fail to make changes directly on the entry-level firewalls which run latest codebases (i.e. PA2020 on 6.x firmware is likely to struggle and the option with config export/import may be the only one that works for you).

Play with these scripts and you will be amazed at how much you can do in no time at all. Luckily there is also a “Display” action that allows you to try any filter before you make actual change.

And, by the way, despite the fact that PAN-Configurator is still a Beta, I would say it’s already quite mature and its author is not a random Palo Alto enthusiast but a technical lead from PAN EMEA Professional Services – Christophe Painchaud who does firewall migrations and similar jobs pretty much on a daily basis.

Thank you Chris!

Categories: Palo Alto Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: