pan configurator: GitHub File Free Download


Since my departure, my friend and fantastic programmer Sven Waschkut from Palo Alto Networks has been actively supporting and updating this project. PAN has now officially added a repository on their official Github account. So latest features and cool things can be found (Docker CLI!) here

Anything below here will remain for the purpose of archiving!


PAN-Configurator is a PHP library aimed at making PANOS config changes easy (and XML free ;), maintainable and allowing complex scenarios like rule merging, unused object tracking, conversion of checkpoint exclusion groups, massive rule editing, AppID conversion … to name the ones I do on a regular basis and which are not offered by our GUI. It will work seamlessly on local config file or API.

Homepage : download latest sources on GitHub. Windows package with PHP binaries here:

Requirements : PHP 5.5 with curl module

Usage: include the file lib/panconfigurator.php in your own script to load the necessary classes.

File tree:

  • /lib/ contains library files source code
  • /utils/ contains ready to run scripts, more information in utils/readme.txt
  • /doc/index.html has all classes documentations
  • /example-xxx.php are examples about using this library

With less than 20 lines of code, you should be able to solve most of your needs. Brief overview:

Loading a config from a file :

    $pan = new PANConf();

Prefer to load it from API candidate config ?

    $connector = panAPIConnector::findOrCreateConnectorFromHost('');
    $pan = new PANConf();

Delete unused objects from a config :

    foreach($pan->addressStore->addressObjects() as $object )
      if( $object->countReferences() == 0 )

Want to know where an object is used ?

    $object = $pan->addressStore->find('H-WebServer4');
    foreach( $object->getReferences() as $ref )
       print $ref->toString()."\n";

Replace that object by another one :


Want to add security profile group ‘Block-Forward-Critical-High’ in rules which have destination zone ‘External’ and
source zone ‘DMZ’?

    foreach( $vsys1->securityRules->rules() as $rule )
       if( $rule->from->has('DMZ') && $rule->to->has('External') )

Do you hate scripting ? Utility script ‘rules-edit.php’ is a swiss knife to edit rules and takes advantage of PAN Configurator
library from a single CLI query, ie :

Do you want to enable log at start for rule going to DMZ zone and that has only object group ‘Webfarms’ as a destination ?

rules-edit.php in=api:// actions=logStart-Enable 'filter=(to has dmz) and (dst has.only Webfarms)'

You are not sure about your filter and want to see rules before making changes ? Use action ‘display’ :

rules-edit.php  in=api:// actions=display 'filter=(to has dmz) and (dst has.only Webfarms)'

Change all rules using Application + Any service to application default ?

rules-edit.php in=api:// actions=service-Set-AppDefault 'filter=!(app is.any) and (service is.any)'

Move post-SecurityRules with source zone ‘dmz’ or source object ‘Admin-networks’ to pre-Security rule ?

rules-edit.php  in=api:// actions=invertPreAndPost 'filter=((from has dmz) or (source has Admin-networks) and (rule is.postrule))'

Want to know what actions are supported ?

rules-edit.php  listActions
rules-edit.php listFilters

Go to GitHub File