Panoply

class skilletlib.panoply.EphemeralPanos(hostname: Optional[str] = None, api_username: Optional[str] = None, api_password: Optional[str] = None, api_port: Optional[int] = 443, serial_number: Optional[str] = None, debug: Optional[bool] = False, api_key: Optional[str] = None)

EphemeralPanos is used when a Panos instance may or may not be online and available at all times. This is useful when instantiating instances via a CI/CD pipeline or other automation tool.

class skilletlib.panoply.Panoply(hostname: Optional[str] = None, api_username: Optional[str] = None, api_password: Optional[str] = None, api_port: Optional[int] = 443, serial_number: Optional[str] = None, debug: Optional[bool] = False, api_key: Optional[str] = None)

Panoply is a wrapper around pan-python PanXAPI class to provide additional, commonly used functions

ad_hoc(qs: str) → str

Runs an ad_hoc command against this device.

example: type=op&action=complete&xpath=/operations/show/config/saved

Parameters:qs – qs
Returns:the unparsed xml document from the device API
backup_config()

Saves a named backup on the PAN-OS device. The format for the backup is ‘config-backup-20190424000000.xml’

Returns:xml results from the op command sequence
check_content_updates(content_type: str) -> (<class 'str'>, None)

Iterate through all available content of the specified type, locate and return the version with the highest version number. If that version is already installed, return None as no further action is necessary

Parameters:content_type – type of content to check
Returns:version-number to download and install or None if already at the latest
commit(force_sync=True) → str

Perform a commit operation on this device instance -

Raises:PanoplyException – if commit failed
Parameters:force_sync – Flag to enable sync commit or async
Returns:String from the API indicating success or failure
commit_gpcs(force_sync=True) → str

Perform a commit operation on this device instance specifically for gpcs remote networks Note - you must do a full commit to panorama before you invoke this commit!

Raises:PanoplyException – if commit failed
Parameters:force_sync – Flag to enable sync commit or async
Returns:String from the API indicating success or failure
connect(allow_offline: Optional[bool] = False) → None

Attempt to connect to this device instance

Parameters:allow_offline – Do not raise an exception if this device is offline unless there is an authentication

error :return: None

deactivate_vm_license(api_key: str = None) → bool

Deactivate VM-Series Licenses. Will set the API Key is not already set.

Parameters:api_key – Optional api_key.
Returns:boolean True on success / False otherwise
execute_cli(cmd_str: str) → str

Short-cut to execute a simple CLI op cmd

Parameters:cmd_str – CLI command to send to the NGFW
Returns:raw output from the command
execute_cmd(cmd: str, params: dict, context=None) → str

Execute the given cmd using the xapi.

Parameters:
  • cmd – Valid options are: ‘op’, ‘show’, ‘get’, ‘delete’, ‘set’, ‘edit’, ‘override’, ‘move’, ‘rename’, ‘clone’, ‘validate’
  • params – valid parameters for the given cmd type
  • context – skillet context
Returns:

raw results from the cmd output, raises SkilletLoaderException
execute_op(cmd_str: str, cmd_xml=False, parse_result=True) → str

Executes an ‘op’ command on the NGFW

Parameters:
  • cmd_str – op command to send
  • cmd_xml – Flag to determine if op command requires XML encoding
  • parse_result – Optional flag to indicate whether to return parsed xml results (xml_result) from xapi - not

all commands return valid XML. Setting this to ‘false’ will return the raw string from the API. :return: raw output from the device

fetch_license(auth_code: str, force_fetch_license: bool = False) → bool

Fetch and install licenses for PAN-OS NGFW

Parameters:
  • auth_code – Authorization code to use to license the NGFW
  • force_fetch_license – Fetch licenses even if NGFW is already licensed
Returns:

True when license installation succeeds / False otherwise
filter_connected_devices(filter_terms=None) → list

Returns the list of connected devices filtered according to the given terms.

Filter terms are based on keys in the device facts. Matches are done using simple regex match

Parameters:filter_terms – dict containing key value pairs. Keys match keys from the return device facts and values

are regex expressions used to match those keys :return: list of devices that match ALL filter terms

generate_baseline(reset_hostname=False) → str

Load baseline config that contains ONLY connecting username / password use device facts to determine which baseline template to load see template/panos/baseline_80.xml for example

Parameters:
  • self
  • reset_hostname – Flag to reset hostname back to a default value (baseline in this case)
Returns:

string contents of baseline config
generate_set_cli_from_configs(previous_config: str, latest_config: str) → list

Takes two configuration files, converts them to set commands, then returns only the commands found in the ‘latest_config’ vs the ‘previous_config’. This allows the user to quickly configure one firewall, generate a ‘set cli’ diff and move those configs to another firewall

Parameters:
  • previous_config – Starting config
  • latest_config – Ending config
Returns:

list of set cli commands required to convert previous to latest
generate_skillet(from_candidate=False) → list

Generates a skillet from the changes detected on this device. This will attempt to create the xml and xpaths for everything that is found to have changed

Parameters:from_candidate – If your changes on in the candidate config, this will detect changes between the running

config and the candidate config. If False, this will detect changes between the running config and a generic baseline configuration :return: list of xpaths

generate_skillet_from_configs(previous_config: str, latest_config: str) → list

Generates a skillet from the diffs between two XML configuration files

Parameters:
  • previous_config – Configuration backup taken before desired changes are made to the device
  • latest_config – Configuration backup taken after desired changes are made
Returns:

list of dictionaries that contain the following keys: * name * element * xpath * full_xpath
get_configuration(config_source='running') → str

Get the configuration from the device.

Parameters:config_source – Configuration source. This can be either ‘candidate, running, baseline, or an

audit version number. Candidate is the candidate config, running is the running config, baseline is an autogenerated bare configuration, and version number is the previously saved running configuration. A positive version number will get the configuration version matching that id. A negative version number will get the most recent to least recent configuration versions where (-1) is the most recent previous running config. :return: configuration xml as a string or a blank string if not connected

get_configuration_version(version: str) → str

Returns a configuration version on the device. Use ‘list_configuration_versions’ to get a list of available options

Parameters:version – version number of the configuration version to export
Returns:configuration as an XML encoded string
get_extended_facts() → dict

Get extended facts about the device to which we are connected.

Return interfaces, security_rules, and zones

Returns:dict with extended facts
get_facts() → dict

Gather system info and keep on self.facts This gets called on every connect

Returns:dict containing all system facts
get_interfaces() → dict

Return a dict of all interfaces configured on this device. The dict has the following structure:

{
“ifnet”: {
“entry”: [
{
“name”: “ethernet1/1”, “zone”: “internet”, “fwd”: “vr:default”, “vsys”: “1”, “dyn-addr”: null, “addr6”: null, “tag”: “0”, “ip”: “10.48.58.161/23”, “id”: “16”, “addr”: null

}

]

}, “hw”: {

“entry”: [
{
“name”: “ethernet1/1”, “duplex”: “full”, “type”: “0”, “state”: “up”, “st”: “10000/full/up”, “mac”: “fa:16:3e:65:7d:05”, “mode”: “(autoneg)”, “speed”: “10000”, “id”: “16”

}

]

}

}

Returns:dict with two keys ‘ifnet’ and ‘hw’.
static get_ordered_xpaths() → tuple

Returns a list of ordered xpaths for use in ordering snippets and set commands

Will be enhanced one day with version and model specific information if necessary

Returns:tuple of two lists, xpaths and post_xpaths
get_saved_configuration(configuration_name: str) → str

Returns a saved configuration on the device. Use ‘list_saved_configuration’ to get a list of available options

Parameters:configuration_name – name of the saved configuration to export
Returns:configuration as an XML encoded string
get_security_rules() → list

Return the list of configured security rules on this device.

  • returns a blank list for Panorama devices!
Returns:list of security rules
get_zones() → list

Return the list of configured zones on this device.

  • returns a blank list for Panorama devices!
Returns:list of zone names
has_running_jobs() → bool

Simple check to determine if there are any running jobs on this device

Returns:bool True if there is currently a running job
import_file(filename: str, file_contents: (<class 'str'>, <class 'bytes'>), category: str) → bool

Import the given file into this device

Parameters:
  • filename
  • file_contents
  • category – ‘configuration’
Returns:

bool True on success
list_saved_configurations() → list

Returns a list of saved configuration files on this device

Returns:list of saved configurations
load_baseline() → bool

Load baseline config that contains ONLY connecting username / password use device facts to determine which baseline template to load see template/panos/baseline_80.xml for example

Parameters:self
Returns:bool true on success
load_config(filename: str) → bool

Loads the named configuration file into this device

Parameters:filename – name of the configuration file on the device to load. Note this filename must already exist

on the target device :return: bool True on success

static sanitize_element(element: str) → str

Eliminate some unneeded characters from the XML snippet if they appear.

Parameters:element – element str
Returns:sanitized element str
set_at_path(name: str, xpath: str, xml_str: str) → None

Insert XML into the configuration tree at the specified xpath

Parameters:
  • name – name of the snippet - used in logging and debugging only
  • xpath – full xpath where the xml element will be inserted
  • xml_str – string representation of the XML element to insert
Returns:

None
set_license_api_key(api_key: str) → bool

Set’s the Palo Alto Networks Support API Key in the firewall. This is required to deactivate a VM-Series NGFW.

Parameters:api_key – Your support account API Key found on the support.paloaltonetworks.com site
Returns:boolean True on success / False otherwise
update_dynamic_content(content_type: str) → bool

Check for newer dynamic content and install if found

Parameters:content_type – type of content to check. can be either: ‘content’, ‘anti-virus’, ‘wildfire’
Returns:bool True on success
wait_for_device_ready(interval=30, timeout=600) → bool

Loop and wait until device is ready or times out

Parameters:
  • interval – how often to check in seconds
  • timeout – how long to wait until we declare a timeout condition
Returns:

boolean true on ready, false on timeout
wait_for_job(job_id: str, interval=10, timeout=600) → bool

Loops until a given job id is completed. Will timeout after the timeout period if the device is offline or otherwise unavailable.

Parameters:
  • job_id – id the job to check and wait for
  • interval – how long to wait between checks
  • timeout – how long to wait with no response before we give up
Returns:

bool true on content updated, false otherwise
class skilletlib.panoply.Panos(hostname: Optional[str], api_username: Optional[str], api_password: Optional[str], api_port: Optional[int] = 443, serial_number: Optional[str] = None, debug: Optional[bool] = False, api_key: Optional[str] = None)

Panos is used to connect to PAN-OS devices that are expected to be currently and always online! Exceptions will be raised in any event that we cannot connect!