====== PAN Configurator ======
===== Overview =====
[[https://github.com/cpainchaud/pan-configurator|PAN-Configurator]] is a PHP library for running actions on PAN-OS.

There is a [[https://github.com/cpainchaud/pan-configurator-windows-package|Windows package]] for making it easy to run commands on Windows.

Assuming you have plaged everything in "C:\Program Files\PAN Configurator" (Make sure your user has read/write access to this folder and sub-folders)

Update the PATH variable with the following three entries
  * C:\Program Files\PAN Configurator\php;
  * C:\Program Files\PAN Configurator\Console2;
  * C:\Program Files\PAN Configurator\git\bin

Create the following variables and values
  * PS1=\w>
  * PANCDIR=C:\Program Files\PAN Configurator\pan-configurator
  * HOME=C:\Program Files\PAN Configurator

===== Examples =====
In these examples, ''10.1.1.1'' is a Panorama appliance.

Set all security policies to have 'default' as the log forwarding profile.
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=logSetting-set:default</code>
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=logSetting-set:default 'filter=!( logprof is.set )'</code>
Set all security policies to have 'default' as the security profile group.
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:default</code>
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-set:default 'filter=!( secprof is.set )'</code>
Set security policies to have 'SPG_Outbound' as the security profile group. Only set it on policies that have the tag 'outbound'.
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:SPG_Outbound 'filter=(tag has outbound)'</code>
Remove security profiles and security profile groups from all rules that have the action set to deny.
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Remove 'filter=(action is.deny)'</code>
Set all rules that deny traffic to have no security profile group
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Remove 'filter=(action is.deny)'</code>
Set security policies to be targeted to a specific serial number ''011122211122''. Only set it on policies that are targeted on firewall serial number ''099887766554''. This is usefull when adding new firewalls to Panorama to replace an old firewall already in Panorama.
<code>pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DeviceGroupName actions=target-Add-Device:011122211122  'filter=(target has 099988899988)'</code>
Update all security policies that have security profile group set to default and set it to security profile group spg-internal.
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:spg-internal 'filter=(secprof group.is default)'</code>
To replace destination zone
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DGName actions=to-Replace:OldZone,NewZone
pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DGName actions=to-Replace:OldZone,NewZone</code>
To replace source zone
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DGName actions=from-Replace:OldZone,NewZone
pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DGName actions=from-Replace:OldZone,NewZone</code>

You can also use the following rule types
  * security
  * nat
  * decryption
  * pbf

===== Replace one app with another =====
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=app-Add:app-grp-icmp 'filter=( app has icmp )'</code>
<code>pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=app-Remove:icmp 'filter=( app has app-grp-icmp )'</code>