I found the example of usage in here. The code will not work on python3. In fact i am not sure why the print(credentials) in the code is necessary, there is no arg passed into the PanXapi which puzzles me why the code will work.
To pass dictionary of arguments into the PanXapi method you will need double asterix.
So here’s the modification for python3, actually i have not tried on python2.7 yet, but i dun think it mattered to me since python3 will be de facto standard henceforth.
import pan.xapi
def get_pan_credentials():
cred = {}
cred['api_username'] = "admin"
cred['api_password'] = "admin"
cred['hostname'] = "192.168.1.104"
return cred
credentials = get_pan_credentials()
xapi = pan.xapi.PanXapi(**credentials)
xapi.op(cmd='show system info', cmd_xml=True)
print(xapi.xml_result())
The output is the same as using the requests module to call the REST API directly. the difference with Pan-Python is that passing arguments is made easy.
So here’s the complete output:
<system><hostname>PA-VM</hostname><ip-address>192.168.1.104</ip-address><netmask>255.255.255.0</netmask><default-gateway>192.168.1.1</default-gateway><is-dhcp>yes</is-dhcp><ipv6-address>unknown</ipv6-address><ipv6-link-local-address>fe80::5200:ff:fe01:0/64</ipv6-link-local-address><ipv6-default-gateway /><mac-address>50:00:00:01:00:00</mac-address><time>Sun Nov 12 00:48:47 2017 </time> <uptime>0 days, 21:49:26</uptime> <devicename>PA-VM</devicename> <family>vm</family><model>PA-VM</model><serial>unknown</serial><vm-mac-base>BA:DB:EE:FB:AD:00</vm-mac-base><vm-mac-count>255</vm-mac-count><vm-uuid>3E304129-D98B-4BD4-A3EE-8C74A586B7BA</vm-uuid><vm-cpuid>KVM:23060000FDFB8B07</vm-cpuid><vm-license>none</vm-license><vm-mode>KVM</vm-mode> <sw-version>8.0.0</sw-version> <global-protect-client-package-version>0.0.0</global-protect-client-package-version> <app-version>655-3816</app-version> <app-release-date>unknown</app-release-date> <av-version>0</av-version> <av-release-date>unknown</av-release-date> <threat-version>0</threat-version> <threat-release-date>unknown</threat-release-date> <wf-private-version>0</wf-private-version> <wf-private-release-date>unknown</wf-private-release-date> <url-db>paloaltonetworks</url-db> <wildfire-version>0</wildfire-version> <wildfire-release-date>unknown</wildfire-release-date> <url-filtering-version>0000.00.00.000</url-filtering-version> <global-protect-datafile-version>unknown</global-protect-datafile-version> <global-protect-datafile-release-date>unknown</global-protect-datafile-release-date><global-protect-clientless-vpn-version>0</global-protect-clientless-vpn-version> <global-protect-clientless-vpn-release-date>unknown</global-protect-clientless-vpn-release-date> <logdb-version>8.0.15</logdb-version> <platform-family>vm</platform-family> <vpn-disable-mode>off</vpn-disable-mode> <multi-vsys>off</multi-vsys> <operational-mode>normal</operational-mode> </system>
cyruslab 
Hi Cyrus,
Thanks for this post, it’s only a little one but I had been struggling with getting PanPython working and interacting with the API for security rules.
I am looking at how I can bulk edit the assigned security profile group assigned to 900 pre rules in Panorama across 2 device groups. Unless I want to click through every damn rule, I believe using a Python script is going to be the only way to bulk do every rule where the current action is Allow and apply the specific security profile group.
Anyway thanks again for the great easy article to read, all the best.
Thanks,
Daniel.
Hi Daniel,
I would recommend you to use the API reference within the Palo Alto firewall. the PanPython is only a wrapper that makes it “easy” because scripter does not need to known xml, I would recommend you to really use it and try to understand the xml structure with postman first then you can use a template engine such as jinja2 or mako template in your python script to build up the xml post request.
Hi Cyrus,
This is a good point as I have had some challenges trying to use the pan-python to achieve what I am after. I had started using postman to do this already as well but I am stuck at being able to pull all active rules running in a particular device group and the API browser does not seem to contain it.
I have however seen in Palo’s documentation that their 9.0 restapi seems to have commands there to pull the security rule base. Is this correct or am I missing something somewhere?
Thanks,
Daniel.
Not sure about the command line though, but the api itself can query for security rules and objects. If only command line can be used try netmiko module I think netmiko has Palo Alto connection.