ezpanos 1.0.2

A lightweight PanOS (Palo Alto Networks) Firewall Management utility.

EZPanOS

lightweight PAN-OS utility library focused on practical operational tasks.

Why ezpanos exists

ezpanos is not a replacement for Palo Alto Networks’ official SDKs.

It grew out of working directly with PAN-OS automation and seeing how often engineers still end up dealing with hardcoded XPath, XML-heavy responses, and task-specific parsing logic.

ezpanos exists to make that experience more practical.

The PAN-OS ecosystem exposes strong configuration and object-management primitives, but real-world automation often needs more than object CRUD:

• intuitive command execution
• JSON-normalized output
• Multi-device and Panorama-oriented workflows

The goal is to make operational automation easier to build, read, and reuse.

Installation

pip install ezpanos

Quick Start

from ezpanos import EzPanOS

endpoint = "10.0.0.1"
fw = EzPanOS(endpoint=endpoint, username="admin")
print(fw.execute("show system info"))

If password is omitted, you are securely prompted. Credentials entered once can be reused in-memory for subsequent connections in the same run.

Config Profiles

You can use a config.json file for endpoint/profile organization and optional usernames/passwords.

Conceptually, an estate is the firewalls you intend to manage. Because the utility works on many PanOS Configuration types: Panorama, Firewall, or Log Collector: each can be assimilated into this framework.

Example config.json:

{
  "profiles": {
    "estate": {
      "username": "svc_firewall",
      "endpoints": [
        {"endpoint": "firewall-1.inside.example.com"},
        {"endpoint": "firewall-2.inside.example.com"}
      ]
    }
  }
}

Build instances:

from ezpanos import EzPanOS

instances = EzPanOS.instances_from_config_profile(
    config_path="config.json",
    config_profile="estate",
)

Note that the name of the config_profile is estate, this is configurable if you intend to logically separate the management of different such estates. This is useful for environments with multiple Panorama Instances.

If passwords are not present in config, you will be prompted and values are reused from in-memory cache where possible.

Rule Management

from ezpanos import EzPanOS

fw = EzPanOS(endpoint="10.0.0.1", username="admin")
result = fw.create_security_rule(
    rule_name="example-rule",
    from_zones=["trust"],
    to_zones=["untrust"],
    sources=["any"],
    destinations=["any"],
    applications=["web-browsing"],
    services=["application-default"],
    action="allow",
)
print(result)

Delete rule and commit:

delete_result = fw.delete_security_rule("example-rule", ignore_missing=True)
print(delete_result)

commit_result = fw.commit(wait_for_job=True)
print(commit_result)

Job sensitive commands

Some commands like software download/install as well as standard commit jobs execute beyond the xml command success.

To monitor the job id of an executed command:

response = fw.execute("request sustem software check")
job_id = fw.extract_job_id(response)

# Or likewise:

version = "10.1.1"
response = fw.execute(f"request sustem software download version: {version}")
job_id = fw.extract_job_id(response)

This job can then be monitored with
response = fw.execute(f"show jobs id {job_id}")

Experimental: Intent-Driven Policy Engineering

ezpanos is also exploring an intent-driven workflow layer for policy operations.

Operators often know the connection requirements they need, but translating that requirement into environment-aware implementations across an estate of devices and security zones is tedious and error-prone.

The experimental workflow uses natural language for intent capture, while keeping execution deterministic and reviewable.

Design principles:

• intent in, ruleset out
• deterministic resolution of implementation details
• bounded execution paths
• explicit operator review before commission
• no unrestricted autonomous environment mutation

This functionality is currently gated while the workflow model is hardened and validated.