Need help with pan-configurator?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

220 Stars 38 Forks Other 1.5K Commits 0 Opened issues


Framework and utilities to easily manage and edit Palo Alto Network PANOS devices

Services available


Need anything else?

Contributors list


Since my departure, my friend and fantastic programmer Sven Waschkut from Palo Alto Networks has been actively supporting and updating this project. PAN has now officially added a repository on their official Github account. So latest features and cool things can be found (Docker CLI!) here

Anything below here will remain for the purpose of archiving!


PAN-Configurator is a PHP library aimed at making PANOS config changes easy (and XML free ;), maintainable and allowing complex scenarios like rule merging, unused object tracking, conversion of checkpoint exclusion groups, massive rule editing, AppID conversion … to name the ones I do on a regular basis and which are not offered by our GUI. It will work seamlessly on local config file or API.

Homepage : download latest sources on GitHub. Windows package with PHP binaries here:

Requirements : PHP 5.5 with curl module

Usage: include the file lib/panconfigurator.php in your own script to load the necessary classes.

File tree: * /lib/ contains library files source code * /utils/ contains ready to run scripts, more information in utils/readme.txt * /doc/index.html has all classes documentations * /example-xxx.php are examples about using this library

With less than 20 lines of code, you should be able to solve most of your needs. Brief overview:

Loading a config from a file :

    $pan = new PANConf();

Prefer to load it from API candidate config ?

    $connector = panAPIConnector::findOrCreateConnectorFromHost('');
    $pan = new PANConf();

Delete unused objects from a config :

    foreach($pan->addressStore->addressObjects() as $object )
      if( $object->countReferences() == 0 )

Want to know where an object is used ?

    $object = $pan->addressStore->find('H-WebServer4');
    foreach( $object->getReferences() as $ref )
       print $ref->toString()."\n";

Replace that object by another one :


Want to add security profile group 'Block-Forward-Critical-High' in rules which have destination zone 'External' and source zone 'DMZ'?

    foreach( $vsys1->securityRules->rules() as $rule )
       if( $rule->from->has('DMZ') && $rule->to->has('External') )

Do you hate scripting ? Utility script 'rules-edit.php' is a swiss knife to edit rules and takes advantage of PAN Configurator library from a single CLI query, ie :

Do you want to enable log at start for rule going to DMZ zone and that has only object group 'Webfarms' as a destination ?

rules-edit.php in=api:// actions=logStart-Enable 'filter=(to has dmz) and (dst has.only Webfarms)'

You are not sure about your filter and want to see rules before making changes ? Use action 'display' :

rules-edit.php  in=api:// actions=display 'filter=(to has dmz) and (dst has.only Webfarms)'

Change all rules using Application + Any service to application default ?

rules-edit.php in=api:// actions=service-Set-AppDefault 'filter=!(app is.any) and (service is.any)'

Move post-SecurityRules with source zone 'dmz' or source object 'Admin-networks' to pre-Security rule ?

rules-edit.php  in=api:// actions=invertPreAndPost 'filter=((from has dmz) or (source has Admin-networks) and (rule is.postrule))'

Want to know what actions are supported ?

rules-edit.php  listActions
rules-edit.php listFilters

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.