PAN-Configurator is a PHP library for running actions on PAN-OS.

There is a Windows package for making it easy to run commands on Windows.

Assuming you have plaged everything in “C:\Program Files\PAN Configurator”

Update the PATH variable with the following three entries

• C:\Program Files\PAN Configurator\php;
• C:\Program Files\PAN Configurator\Console2;
• C:\Program Files\PAN Configurator\git\bin

Create the following variables and values

• PS1=\w>
• PANCDIR=C:\Program Files\PAN Configurator\pan-configurator
• HOME=C:\Program Files\PAN Configurator

In these examples, 10.1.1.1 is a Panorama appliance.

Set all security policies to have 'default' as the log forwarding profile.

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=logSetting-set:default

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=logSetting-set:default 'filter=!( logprof is.set )'

Set all security policies to have 'default' as the security profile group.

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:default

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-set:default 'filter=!( secprof is.set )'

Set security policies to have 'SPG_Outbound' as the security profile group. Only set it on policies that have the tag 'outbound'.

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:SPG_Outbound 'filter=(tag has outbound)'

Remove security profiles and security profile groups from all rules that have the action set to deny.

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Remove 'filter=(action is.deny)'

Set all rules that deny traffic to have no security profile group

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Remove 'filter=(action is.deny)'

Set security policies to be targeted to a specific serial number 011122211122. Only set it on policies that are targeted on firewall serial number 099887766554. This is usefull when adding new firewalls to Panorama to replace an old firewall already in Panorama.

pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DeviceGroupName actions=target-Add-Device:011122211122  'filter=(target has 099988899988)'

Update all security policies that have security profile group set to default and set it to security profile group spg-internal.

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:spg-internal 'filter=(secprof group.is default)'

To replace destination zone

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DGName actions=to-Replace:OldZone,NewZone
pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DGName actions=to-Replace:OldZone,NewZone

To replace source zone

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DGName actions=from-Replace:OldZone,NewZone
pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DGName actions=from-Replace:OldZone,NewZone

You can also use the following rule types

• security
• nat
• decryption

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=app-Add:app-grp-icmp 'filter=( app has icmp )'

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=app-Remove:icmp 'filter=( app has app-grp-icmp )'