Skip to content

SDK Developer Documentation

Welcome to the SDK Developer Documentation for pan-scm-sdk. This section provides detailed information about the SDK's configuration objects and data models used to interact with Palo Alto Networks Strata Cloud Manager.

Contents

Introduction

The pan-scm-sdk provides a set of classes and models to simplify interaction with the Strata Cloud Manager API. By utilizing this SDK, developers can programmatically manage configurations, ensuring consistency and efficiency.

Starting with version 0.3.14, the SDK supports a unified client interface that allows you to access all service objects directly through the client instance using attribute-based access. This provides a more intuitive and streamlined developer experience. Here's a comprehensive example showing how to use the unified client with multiple object types:

from scm.client import Scm

# Initialize the unified client
client = Scm(
    client_id="your_client_id",
    client_secret="your_client_secret",
    tsg_id="your_tsg_id"
)

# ===== WORKING WITH ADDRESS OBJECTS =====

# List all addresses in a folder
addresses = client.address.list(folder="Texas")
print(f"Found {len(addresses)} addresses in Texas folder")

# Fetch a specific address by name
web_server = client.address.fetch(name="web-server", folder="Texas")
print(f"Address details - Name: {web_server.name}, IP: {web_server.ip_netmask or web_server.fqdn}")

# Update the description of the address
web_server.description = "Primary web server updated via unified client"
updated_address = client.address.update(web_server)
print(f"Updated address description: {updated_address.description}")

# ===== WORKING WITH BGP ROUTING =====

# Get current BGP routing settings
bgp_settings = client.bgp_routing.get()
print(f"Current BGP backbone routing: {bgp_settings.backbone_routing}")

# Update BGP routing preferences
client.bgp_routing.update({
    "routing_preference": {"hot_potato_routing": {}},
    "backbone_routing": "asymmetric-routing-with-load-share",
    "accept_route_over_SC": True,
    "outbound_routes_for_services": ["10.0.0.0/8", "172.16.0.0/12"],
})
print("Updated BGP routing settings")

# ===== WORKING WITH INTERNAL DNS SERVERS =====

# Create a new internal DNS server
dns_server = client.internal_dns_servers.create({
    "name": "main-dns-server",
    "domain_name": ["example.com", "internal.example.com"],
    "primary": "192.168.1.10",
    "secondary": "192.168.1.11"
})
print(f"Created DNS server: {dns_server.name} with ID: {dns_server.id}")

# List all DNS servers
dns_servers = client.internal_dns_servers.list()
print(f"Found {len(dns_servers)} DNS servers")

# ===== WORKING WITH SECURITY RULES =====

# Fetch a specific security rule
security_rule = client.security_rule.fetch(name="allow-web-traffic", folder="Texas")
print(f"Security rule: {security_rule.name}")
print(f"  Source zones: {security_rule.source_zone}")
print(f"  Destination zones: {security_rule.destination_zone}")
print(f"  Action: {security_rule.action}")

# ===== WORKING WITH NAT RULES =====

# List NAT rules with filtering (source zone = "trust")
filtered_nat_rules = client.nat_rule.list(
    folder="Texas",
    source_zone=["trust"]
)
print(f"Found {len(filtered_nat_rules)} NAT rules with source zone 'trust'")

# Delete a NAT rule if any were found
if filtered_nat_rules:
    rule_to_delete = filtered_nat_rules[0].id
    rule_name = filtered_nat_rules[0].name
    client.nat_rule.delete(rule_to_delete)
    print(f"Deleted NAT rule '{rule_name}' (ID: {rule_to_delete})")

# ===== WORKING WITH BANDWIDTH ALLOCATIONS =====

# List all bandwidth allocations
allocations = client.bandwidth_allocation.list()
print(f"Found {len(allocations)} bandwidth allocations")

# Create a new bandwidth allocation
new_allocation = client.bandwidth_allocation.create({
    "name": "test-region",
    "allocated_bandwidth": 100,
    "spn_name_list": ["spn1", "spn2"],
    "qos": {
        "enabled": True,
        "customized": True,
        "profile": "test-profile",
        "guaranteed_ratio": 0.5
    }
})
print(f"Created bandwidth allocation: {new_allocation.name}")

# ===== WORKING WITH AUTHENTICATION SETTINGS =====

# List all authentication settings
auth_settings = client.auth_setting.list()
print(f"Found {len(auth_settings)} authentication settings")

# Create new authentication settings for Windows
windows_auth = client.auth_setting.create({
    "name": "windows_auth",
    "authentication_profile": "windows-profile",
    "os": "Windows",
    "user_credential_or_client_cert_required": True,
    "folder": "Mobile Users"
})
print(f"Created authentication settings: {windows_auth.name}")

# Move authentication settings to the top of evaluation order
client.auth_setting.move({
    "name": "windows_auth",
    "where": "top"
})
print("Moved Windows authentication settings to the top")

# ===== WORKING WITH AGENT VERSIONS =====

# List all available GlobalProtect agent versions
agent_versions = client.agent_version.list()
print(f"Found {len(agent_versions)} GlobalProtect agent versions")

# Filter for specific versions
filtered_versions = client.agent_version.list(version="5.3")
print(f"Found {len(filtered_versions)} versions containing '5.3'")

# Fetch a specific version
try:
    version = client.agent_version.fetch("5.3.0")
    print(f"Found specific version: {version}")
except Exception as e:
    print(f"Version not found: {str(e)}")

# ===== COMMIT CHANGES =====

# Commit all changes to apply them to the firewall
commit_result = client.commit(
    folders=["Texas", "Mobile Users"],
    description="Updated configurations via unified client",
    sync=True  # Wait for commit to complete
)

# Check commit status
job_status = client.get_job_status(commit_result.job_id)
print(f"Commit job status: {job_status.data[0].status_str}")

Available Client Services

The following table shows all services available through the unified client interface:

Client Property Description
Objects
address IP addresses, CIDR ranges, and FQDNs for security policies
address_group Static or dynamic collections of address objects
application Custom application definitions and signatures
application_filter Filters for identifying applications by characteristics
application_group Logical groups of applications for policy application
dynamic_user_group User groups with dynamic membership criteria
external_dynamic_list Externally managed lists of IPs, URLs, or domains
hip_object Host information profile match criteria
hip_profile Endpoint security compliance profiles
http_server_profile HTTP server configurations for logging and monitoring
log_forwarding_profile Configurations for forwarding logs to external systems
quarantined_device Management of devices blocked from network access
region Geographic regions for policy control
schedule Time-based policies and access control
service Protocol and port definitions for network services
service_group Collections of services for simplified policy management
syslog_server_profile Syslog server configurations for centralized logging
tag Resource classification and organization labels
Network
ike_crypto_profile IKE crypto profiles for VPN tunnels
ike_gateway IKE gateway configurations for VPN tunnel endpoints
ipsec_crypto_profile IPsec crypto profiles for VPN tunnel encryption
nat_rule Network address translation policies for traffic routing
security_zone Security zones for network segmentation
Mobile Agent
auth_setting GlobalProtect authentication settings by operating system
agent_version Available GlobalProtect agent versions (read-only)
Deployment
bandwidth_allocation Bandwidth allocation settings for regions and service nodes
bgp_routing Global BGP routing preferences and behaviors
internal_dns_servers DNS server configurations for domain resolution
network_location Geographic network locations for service connectivity
remote_network Secure branch and remote site connectivity configurations
service_connection Service connections to cloud service providers
Security
security_rule Core security policies controlling network traffic
anti_spyware_profile Protection against spyware, C2 traffic, and data exfiltration
decryption_profile SSL/TLS traffic inspection configurations
dns_security_profile Protection against DNS-based threats and tunneling
url_category Custom URL categorization for web filtering
vulnerability_protection_profile Defense against known CVEs and exploit attempts
wildfire_antivirus_profile Cloud-based malware analysis and zero-day protection

Check out the Client Module documentation for more information on the unified client interface and the available services.

For information about specific service objects, proceed to the Configuration Objects section.

To learn more about the data models used by the SDK, proceed to the Data Models section, which explains how the Python dictionaries that are passed into the SDK are structured.