Getting Started¶
This guide walks you through initial setup and basic usage of the pan-scm-cli tool for managing Palo Alto Networks Strata Cloud Manager.
Installation¶
Install the package via pip (Python 3.10+ required):
Tip
See the Installation Guide for detailed setup instructions including virtual environments and Docker.
Authentication Setup¶
The SCM CLI uses a context-based authentication system. You can configure credentials through contexts or environment variables.
Option 1: Contexts (Recommended)¶
Create a named context with your SCM credentials:
$ scm context create production \
--client-id "your-app@123456789.iam.panserviceaccount.com" \
--client-secret "your-secret-key" \
--tsg-id "123456789"
---> 100%
✓ Context 'production' created successfully
✓ Context 'production' set as current
Test the connection:
$ scm context test
Testing authentication for context: production
✓ Authentication successful!
Client ID: your-app@123456789.iam.panserviceaccount.com
TSG ID: 123456789
✓ API connectivity verified (found 15 address objects in Shared folder)
Switch between multiple tenants:
Option 2: Environment Variables¶
For CI/CD pipelines or scripting, set environment variables:
export SCM_CLIENT_ID="your_client_id"
export SCM_CLIENT_SECRET="your_client_secret"
export SCM_TSG_ID="your_tsg_id"
Info
Environment variables override context credentials when both are present. This is useful for CI/CD environments where credentials are injected at runtime.
Credential Precedence¶
The CLI loads credentials in the following order (highest to lowest priority):
| Priority | Source | Use Case |
|---|---|---|
| 1 | Environment variables (SCM_CLIENT_ID, SCM_CLIENT_SECRET, SCM_TSG_ID) |
CI/CD pipelines |
| 2 | Active context (set via scm context use) |
Interactive use |
| 3 | Mock mode | Testing without credentials |
Warning
Never commit credentials to version control. Use contexts or environment variables for secure credential management. Regularly rotate your credentials.
Command Structure¶
All commands follow this pattern:
| Component | Description | Examples |
|---|---|---|
<action> |
Operation to perform | set, delete, load, show, backup |
<category> |
Category of resource | object, network, security, sase |
<resource> |
Specific resource type | address, address-group, security-zone |
[options] |
Resource-specific parameters | --folder, --name, --ip-netmask |
Basic Usage Examples¶
Getting Help¶
Use the --help flag for any command:
$ scm --help
Usage: scm [OPTIONS] COMMAND [ARGS]...
Command-line interface for Palo Alto Networks Strata Cloud Manager.
Options:
--version Show the version and exit.
--help Show this message and exit.
Commands:
backup Backup configurations to YAML files
delete Remove configurations
load Load configurations from YAML files
set Create or update configurations
show Display configurations
Command-specific help:
$ scm set object address --help
Usage: scm set object address [OPTIONS]
Create or update an address object in SCM.
Options:
--folder TEXT Folder for the address object [required]
--name TEXT Name of the address object [required]
--description TEXT Description for the address
--tags LIST List of tags to apply to the address
--ip-netmask TEXT Address in CIDR notation (e.g., 192.168.1.0/24)
--ip-range TEXT Address range (e.g., 192.168.1.1-192.168.1.10)
--ip-wildcard TEXT Address with wildcard mask (e.g., 10.20.1.0/0.0.248.255)
--fqdn TEXT Fully qualified domain name (e.g., example.com)
--help Show this message and exit.
Creating an Address Object¶
$ scm set object address \
--folder Texas \
--name webserver \
--ip-netmask 192.168.1.100/32 \
--description "Web server"
---> 100%
Created address: webserver in folder Texas
Creating an Address with FQDN¶
$ scm set object address \
--folder Texas \
--name company-website \
--fqdn example.com \
--description "Company website"
---> 100%
Created address: company-website in folder Texas
Listing Address Objects¶
$ scm show object address --folder Texas
---> 100%
Addresses in folder 'Texas':
------------------------------------------------------------
Name: webserver
Type: ip-netmask
Value: 192.168.1.100/32
------------------------------------------------------------
Name: company-website
Type: fqdn
Value: example.com
------------------------------------------------------------
Deleting an Address Object¶
$ scm delete object address --folder Texas --name webserver
---> 100%
Deleted address: webserver from folder Texas
Bulk Operations¶
Loading from YAML¶
Create a YAML file with multiple definitions:
---
addresses:
- name: web-server-1
folder: Texas
description: "Web Server 1"
ip_netmask: 192.168.1.10/32
tags:
- web
- production
- name: web-server-2
folder: Texas
description: "Web Server 2"
ip_netmask: 192.168.1.11/32
tags:
- web
- production
- name: database-server
folder: Texas
description: "Database Server"
ip_netmask: 192.168.2.10/32
tags:
- database
- production
Load the addresses from the file:
$ scm load object address --file addresses.yml
---> 100%
✓ Loaded address: web-server-1
✓ Loaded address: web-server-2
✓ Loaded address: database-server
Successfully loaded 3 out of 3 addresses from 'addresses.yml'
Dry Run and Mock Modes¶
Dry Run Mode¶
Preview changes without applying them:
$ scm set object address \
--folder Texas \
--name webserver \
--ip-netmask 192.168.1.100/32 \
--dry-run
---> 100%
[DRY RUN] Would create address: webserver in folder Texas
Mock Mode¶
Run commands without connecting to the SCM API:
$ scm set object address \
--folder Texas \
--name webserver \
--ip-netmask 192.168.1.100/32 \
--mock
---> 100%
[MOCK] Created address: webserver in folder Texas
Tip
Mock mode is useful for testing scripts and workflows without consuming API calls or requiring valid credentials.
Next Steps¶
- Explore the CLI Reference for a complete list of commands and options
- Learn about Troubleshooting common issues
- Read about Contributing to the project