Palo Alto Networks Device Framework

1. Easy connectivity

Direct to Firewall

Direct to Panorama

Panorama as proxy

# Instantiate a Firewall with hostname and credentials
fw = Firewall("10.0.0.1", "admin", "mypassword")

# Instantiate a Panorama with hostname and credentials
pano = Panorama("10.0.0.5", "admin", "mypassword")

# Instantiate a Panorama with hostname and credentials
pano = Panorama("10.0.0.5", "admin", "mypassword")
# Instantiate a Firewall with serial
fw = Firewall(serial="0002487YR3880")
# Add the Firewall as a child of Panorama
pano.add(fw)

2. Config Object Model

• Structure device configuration with objects
• Pull objects from live firewalls or Panorama
• Easily compare configuration

# Instantiate a Firewall with hostname and credentials
fw = Firewall('10.0.0.1', 'admin', 'mypassword')
# Create an address object
webserver = AddressObject("Apache-webserver", "5.5.5.5")
# Add the address object as a child of the firewall object
fw.add(webserver)
# Create the address object on the live firewall device
webserver.create()

3. VSYS aware

• Each firewall object represents a VSYS
• Objects under a Firewall are scoped to that VSYS
• Native separation of administrative domains for tenants

# Instantiate a Firewall object that represents vsys2
fw_vsys2 = Firewall("10.0.0.1", "admin", "mypassword", vsys="vsys2")
# Instantiate a Firewall object that represents vsys3
fw_vsys3 = Firewall("10.0.0.1", "admin", "mypassword", vsys="vsys3")
# Add an address object to vsys3
fw_vsys3.add(AddressObject("MyIP", "2.2.2.2")).create()

4. High Availability Aware

HA link

• Failed API calls automatically retry on the HA unit
• Each config object knows it applies to one or both devices
• Firewall and Panorama High Availability

# Instantiate two firewall objects
fw_1 = Firewall("10.0.0.1", "admin", "mypassword")
fw_2 = Firewall("10.0.0.2", "admin", "mypassword")
# Set as HA pair
fw_1.set_ha_peer(fw_2)
fw1.refresh_active()
# Create an address object
# (performed on active unit, not necessarily fw_1)
fw_1.add(AddressObject("MyIP", "2.2.2.2")).create()
# Commit on active unit syncs address object to passive unit
fw_1.commit()

5. Exception classification

# Instantiate a firewall object
fw = Firewall("10.0.0.1", "admin", "mypassword")
try:
    # Issue a commit that throws exceptions on error
    fw.commit(sync=True, exceptions=True)
except PanCommitNotNeeded:
    # Ignore
    pass
except PanCommitFailed as e:
    # Display the error and continue
    print "Error while committing: %s" % str(e)

6. Batch User-ID changes

• Push multiple dynamic changes in a single API call
• Propagate dynamic changes to all firewalls

# Instantiate a Firewall object
fw = Firewall("10.0.0.1", "admin", "mypassword")
# Begin a batch User-ID operation
fw.userid.batch_start()
# Add two login events to the batch
fw.userid.logins([("user1", "4.4.4.4"), ("user2", "5.5.5.5")])
# Add a logout event to the batch
fw.userid.logout("user3", "3.3.3.3")
# Register an IP with 4 tags added to the batch
fw.userid.register("2.2.2.2", ("linux", "server", "apache", "web"))
# Close the batch and send in a single API call to the live device
fw.userid.batch_end()

7. Enhances pan-python

# 'show clock' with pan-python
key = PanXapi(None, "admin", "mypassword", None, "10.0.1.1").keygen()
xapi = PanXapi(hostname="10.0.1.1", api_key=key)
xapi.op("show clock", cmd_xml=False)

# 'show clock' with pandevice
fw = Firewall("10.0.0.1", "admin", "mypassword")
fw.xapi.op("show clock", cmd_xml=False)