Palo Alto Networks Device Framework

arrow keys - navigate slides
down arrow - on a slide for code examples
spacebar - progress through all slides and code examples
esc - slide overview

What is pandevice?

Palo Alto Networks Device Framework (pandevice) is a python library for interacting with a
Next-generation Firewall or Panorama.
>>> import pandevice

7 reasons you should use
PanDevice Framework
for all your API calls

1. Easy connectivity

Direct to Firewall
Direct to Panorama
Panorama as proxy
Direct to Firewall
# Instantiate a Firewall with hostname and credentials
fw = Firewall("", "admin", "mypassword")
Direct to Panorama
# Instantiate a Panorama with hostname and credentials
pano = Panorama("", "admin", "mypassword")
Panorama as proxy
# Instantiate a Panorama with hostname and credentials
pano = Panorama("", "admin", "mypassword")
# Instantiate a Firewall with serial
fw = Firewall(serial="0002487YR3880")
# Add the Firewall as a child of Panorama

2. Config Object Model

  • Structure device configuration with objects
  • Pull objects from live firewalls or Panorama
  • Easily compare configuration
Create an address object
# Instantiate a Firewall with hostname and credentials
fw = Firewall('', 'admin', 'mypassword')
# Create an address object
webserver = AddressObject("Apache-webserver", "")
# Add the address object as a child of the firewall object
# Create the address object on the live firewall device

3. VSYS aware

  • Each firewall object represents a VSYS
  • Objects under a Firewall are scoped to that VSYS
  • Native separation of administrative domains for tenants
Working with VSYS
# Instantiate a Firewall object that represents vsys2
fw_vsys2 = Firewall("", "admin", "mypassword", vsys="vsys2")
# Instantiate a Firewall object that represents vsys3
fw_vsys3 = Firewall("", "admin", "mypassword", vsys="vsys3")
# Add an address object to vsys3
fw_vsys3.add(AddressObject("MyIP", "")).create()

4. High Availability Aware

HA link
  • Failed API calls automatically retry on the HA unit
  • Each config object knows it applies to one or both devices
  • Firewall and Panorama High Availability
Working with Firewall HA Pairs
# Instantiate two firewall objects
fw_1 = Firewall("", "admin", "mypassword")
fw_2 = Firewall("", "admin", "mypassword")
# Set as HA pair
# Create an address object
# (performed on active unit, not necessarily fw_1)
fw_1.add(AddressObject("MyIP", "")).create()
# Commit on active unit syncs address object to passive unit

5. Exception classification

Find and handle specific exceptions
Ignore one exception and handle another
# Instantiate a firewall object
fw = Firewall("", "admin", "mypassword")
    # Issue a commit that throws exceptions on error
    fw.commit(sync=True, exceptions=True)
except PanCommitNotNeeded:
    # Ignore
except PanCommitFailed as e:
    # Display the error and continue
    print "Error while committing: %s" % str(e)

6. Batch User-ID changes

  • Push multiple dynamic changes in a single API call
  • Propagate dynamic changes to all firewalls
Combine User-ID events into one API call
# Instantiate a Firewall object
fw = Firewall("", "admin", "mypassword")
# Begin a batch User-ID operation
# Add two login events to the batch
fw.userid.logins([("user1", ""), ("user2", "")])
# Add a logout event to the batch
fw.userid.logout("user3", "")
# Register an IP with 4 tags added to the batch
fw.userid.register("", ("linux", "server", "apache", "web"))
# Close the batch and send in a single API call to the live device

7. Enhances pan-python

Pan-python is under the hood.
Use pandevice the same places you use pan-python...
...with all the pandevice benefits:
  • Easy connectivity
  • VSYS
  • High Availability
  • etc
# 'show clock' with pan-python
key = PanXapi(None, "admin", "mypassword", None, "").keygen()
xapi = PanXapi(hostname="", api_key=key)
xapi.op("show clock", cmd_xml=False)

# 'show clock' with pandevice
fw = Firewall("", "admin", "mypassword")
fw.xapi.op("show clock", cmd_xml=False)

What are you waiting for?

Click the logos for more information:
Read the docs
Chat on Gitter