Paloalto
Palo Alto NGFW (PAN-OS) — security/NAT rules, address objects, services, commits
weave paloalto
Env: PANOS_HOSTNAME
Setup
Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.
Official API reference
weave commands for this module are checked against the vendor's published API.
| Variable | Description | Status |
|---|---|---|
| PANOS_HOSTNAME | Required for authentication. | required |
| PANOS_API_KEY | Required for authentication. | required |
| PANOS_PORT | HTTPS management port (default: 443). | optional |
| PANOS_VSYS | Target vsys name (default: vsys1). | optional |
| PANOS_VERIFY_TLS | Set to 0 to skip TLS verification on lab firewalls. | optional |
Sanity-check the wiring:
weave secrets check weave paloalto --help weave doctor # reports PANOS_HOSTNAME status
Capabilities
What this module can do, by entity and verb. ✓
means a working CLI surface; · means
not (yet) wired.
| Entity | find | list | show | do | snapshot | diff | apply |
|---|---|---|---|---|---|---|---|
| address | ✓ | ✓ | · | · | · | · | · |
| address-group | · | ✓ | · | · | · | · | · |
| config | · | · | · | ✓ | · | · | · |
| nat-rule | · | ✓ | · | · | · | · | · |
| security-rule | ✓ | ✓ | · | ✓ | ✓ | ✓ | ✓ |
| service | · | ✓ | · | · | · | · | · |
Commands
Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.
find (2)
find address
readFind an address object by name.
weave paloalto find address <name>
find security-rule
readFind a security rule by name.
weave paloalto find security-rule <name>
list (5)
list address-groups
readList address groups.
weave paloalto list address-groups <arg>
list addresses
readList address objects.
weave paloalto list addresses <arg>
list nat-rules
readList NAT rules (vsys1).
weave paloalto list nat-rules <arg>
list security-rules
readList security rules (vsys1).
weave paloalto list security-rules <arg>
list services
readList service objects.
weave paloalto list services <arg>
do (2)
do commit
writeCommit pending changes on the firewall.
weave paloalto do commit <arg>
do disable-rule
writeDisable a security rule by name.
weave paloalto do disable-rule <name>
snapshot → edit YAML →
diff → apply --yes (or confirm
interactively; apply --dry-run previews the same diff).
State kinds
Resources this module can snapshot and
diff; apply where the kind supports
live writes (see Round-trip per kind). Always run
diff before apply; use
--yes in automation after review. Files live under
.weave-state/paloalto/.
This module is on the thinner integration path — use snapshot / diff for audit; confirm apply per kind below before relying on writes.
security-rules
All security rules on the firewall (vsys1).
State file skeleton
module: paloalto kind: security-rules items: - # <fields specific to this kind — see snapshot output>
Workflows
End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.
Security policy change with commit
Edit rules in YAML, review the diff, apply, then commit to activate.
weave paloalto snapshot security-rules $EDITOR .weave-state/paloalto/security-rules.yaml weave paloalto diff security-rules weave paloalto apply security-rules --yes weave paloalto do commit --yes
Emergency block — disable one rule
weave paloalto find security-rule Allow-Internet-Outbound weave paloalto do disable-rule Allow-Internet-Outbound --yes weave paloalto do commit --yes
Audit address objects before a migration
weave paloalto list addresses weave paloalto list address-groups weave paloalto find address legacy-dc-01
NAT rule inventory
weave paloalto list nat-rules weave paloalto list services
Terraform parity
For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.
| Terraform resource | weave equivalent |
|---|---|
| panos_security_rule | weave paloalto snapshot/diff/apply security-rules + find/list security-rules + do disable-rule |
| panos_address_object | weave paloalto find/list addresses |
| panos_address_group | weave paloalto list address-groups |
| panos_service_object | weave paloalto list services |
| panos_nat_rule | weave paloalto list nat-rules NAT rules are list-only today — snapshot/apply planned. |
| panos_commit | weave paloalto do commit weave separates candidate config edits from the explicit commit step, like the PAN-OS UI. |
Troubleshooting & source
Run weave doctor — it reports which env
vars (including PANOS_HOSTNAME) are set
and which are blank.
Re-run weave paloalto diff <kind>
to confirm the controller's current state, then re-snapshot
before the next apply. The driver always re-snapshots
before diffing.
The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/paloalto. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.