Awesome Open Source
Awesome Open Source


PAN-Configurator is a PHP library aimed at making PANOS config changes easy (and XML free ;), maintainable and allowing complex scenarios like rule merging, unused object tracking, conversion of checkpoint exclusion groups, massive rule editing, AppID conversion … to name the ones I do on a regular basis and which are not offered by our GUI. It will work seamlessly on local config file or API.

Homepage : download latest sources on GitHub. Windows package with PHP binaries here:

Requirements : PHP 5.5 with curl module

Usage: include the file lib/panconfigurator.php in your own script to load the necessary classes.

File tree:

  • /lib/ contains library files source code
  • /utils/ contains ready to run scripts, more information in utils/readme.txt
  • /doc/index.html has all classes documentations
  • /example-xxx.php are examples about using this library

With less than 20 lines of code, you should be able to solve most of your needs. Brief overview:

Loading a config from a file :

    $pan = new PANConf();

Prefer to load it from API candidate config ?

    $connector = panAPIConnector::findOrCreateConnectorFromHost('');
    $pan = new PANConf();

Delete unused objects from a config :

    foreach($pan->addressStore->addressObjects() as $object )
      if( $object->countReferences() == 0 )

Want to know where an object is used ?

    $object = $pan->addressStore->find('H-WebServer4');
    foreach( $object->getReferences() as $ref )
       print $ref->toString()."\n";

Replace that object by another one :


Want to add security profile group 'Block-Forward-Critical-High' in rules which have destination zone 'External' and source zone 'DMZ'?

    foreach( $vsys1->securityRules->rules() as $rule )
       if( $rule->from->has('DMZ') && $rule->to->has('External') )

Do you hate scripting ? Utility script 'rules-edit.php' is a swiss knife to edit rules and takes advantage of PAN Configurator library from a single CLI query, ie :

Do you want to enable log at start for rule going to DMZ zone and that has only object group 'Webfarms' as a destination ?

rules-edit.php in=api:// actions=logStart-Enable 'filter=(to has dmz) and (dst has.only Webfarms)'

You are not sure about your filter and want to see rules before making changes ? Use action 'display' :

rules-edit.php  in=api:// actions=display 'filter=(to has dmz) and (dst has.only Webfarms)'

Change all rules using Application + Any service to application default ?

rules-edit.php in=api:// actions=service-Set-AppDefault 'filter=!(app is.any) and (service is.any)'

Move post-SecurityRules with source zone 'dmz' or source object 'Admin-networks' to pre-Security rule ?

rules-edit.php  in=api:// actions=invertPreAndPost 'filter=((from has dmz) or (source has Admin-networks) and (rule is.postrule))'

Want to know what actions are supported ?

rules-edit.php  listActions
rules-edit.php listFilters

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
php (16,378
api (1,682
firewall (89
panorama (28
pan (25