Python SDK for Palo Alto Networks Strata Cloud Manager.
NOTE: Please refer to the GitHub Pages documentation site for all examples
- Strata Cloud Manager SDK
- Flexible Authentication:
- OAuth2 client credentials flow for standard authentication
- Bearer token support for scenarios with pre-acquired tokens
- Resource Management: Create, read, update, and delete configuration objects such as addresses, address groups, applications, regions, internal DNS servers, and more.
- Data Validation: Utilize Pydantic models for data validation and serialization.
- Exception Handling: Comprehensive error handling with custom exceptions for API errors.
- Extensibility: Designed for easy extension to support additional resources and endpoints.
For developers working on this SDK:
- Service File Standards: See
SDK_STYLING_GUIDE.mdfor comprehensive service file guidelines - Model Standards: See
CLAUDE_MODELS.mdfor Pydantic model patterns and conventions - Templates: Use
SDK_SERVICE_TEMPLATE.pyas a starting point for new services - Claude Code Integration: Reference
CLAUDE.mdfor AI-assisted development guidelines
Requirements:
- Python 3.10 or higher
Install the package via pip:
pip install pan-scm-sdkBy default, the SDK verifies TLS certificates for all HTTPS requests. You can bypass TLS verification (for development or testing) by setting the verify_ssl flag to False when initializing Scm or ScmClient:
from scm.client import ScmClient
client = ScmClient(
client_id="...",
client_secret="...",
tsg_id="...",
verify_ssl=False, # WARNING: disables TLS verification!
)Warning: Disabling TLS verification is insecure and exposes you to man-in-the-middle attacks. Only use
verify_ssl=Falsein trusted development environments.
Before interacting with the SDK, you need to authenticate:
from scm.client import ScmClient
# Initialize the API client with OAuth2 client credentials
api_client = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id",
)
# The SCM client is now ready to useIf you already have a valid OAuth token, you can use it directly:
from scm.client import Scm
# Initialize the API client with a pre-acquired bearer token
api_client = Scm(
access_token="your_bearer_token"
)
# The SCM client is now ready to useNOTE: When using bearer token authentication, token refresh is your responsibility. For commit operations with bearer token auth, you must explicitly provide the
adminparameter.
# Example of commit with bearer token authentication
api_client.commit(
folders=["Texas"],
description="Configuration changes",
admin=["[email protected]"], # Required when using bearer token
sync=True
)The unified client provides access to the following services through attribute-based access:
| Client Property | Description |
|---|---|
| Objects | |
address |
IP addresses, CIDR ranges, and FQDNs for security policies |
address_group |
Static or dynamic collections of address objects |
application |
Custom application definitions and signatures |
application_filter |
Filters for identifying applications by characteristics |
application_group |
Logical groups of applications for policy application |
auto_tag_action |
Automated tag assignment based on traffic and security events |
dynamic_user_group |
User groups with dynamic membership criteria |
external_dynamic_list |
Externally managed lists of IPs, URLs, or domains |
hip_object |
Host information profile match criteria |
hip_profile |
Endpoint security compliance profiles |
http_server_profile |
HTTP server configurations for logging and monitoring |
log_forwarding_profile |
Configurations for forwarding logs to external systems |
quarantined_device |
Management of devices blocked from network access |
region |
Geographic regions for policy control |
schedule |
Time-based policies and access control |
service |
Protocol and port definitions for network services |
service_group |
Collections of services for simplified policy management |
syslog_server_profile |
Syslog server configurations for centralized logging |
tag |
Resource classification and organization labels |
| Mobile Agent | |
auth_setting |
GlobalProtect authentication settings |
agent_version |
GlobalProtect agent versions (read-only) |
| Network | |
ike_crypto_profile |
IKE crypto profiles for VPN tunnel encryption |
ike_gateway |
IKE gateways for VPN tunnel endpoints |
ipsec_crypto_profile |
IPsec crypto profiles for VPN tunnel encryption |
nat_rule |
Network address translation policies for traffic routing |
security_zone |
Security zones for network segmentation |
| Deployment | |
bandwidth_allocation |
Bandwidth allocation management for network capacity planning |
bgp_routing |
BGP routing configuration for network connectivity |
internal_dns_server |
Internal DNS server configurations for domain resolution |
network_location |
Geographic network locations for service connectivity |
remote_network |
Secure branch and remote site connectivity configurations |
service_connection |
Service connections to cloud service providers |
| Security | |
security_rule |
Core security policies controlling network traffic |
anti_spyware_profile |
Protection against spyware, C2 traffic, and data exfiltration |
decryption_profile |
SSL/TLS traffic inspection configurations |
dns_security_profile |
Protection against DNS-based threats and tunneling |
url_category |
Custom URL categorization for web filtering |
vulnerability_protection_profile |
Defense against known CVEs and exploit attempts |
wildfire_antivirus_profile |
Cloud-based malware analysis and zero-day protection |
| Setup | |
device |
Device resources and management |
folder |
Folder organization and hierarchy |
label |
Resource classification and simple key-value object labels |
snippet |
Reusable configuration snippets |
variable |
Typed variables with flexible container scoping |
Before starting development, please review:
SDK_STYLING_GUIDE.md- Comprehensive guide for writing consistent SDK codeCLAUDE_MODELS.md- Guidelines for creating Pydantic modelsSDK_SERVICE_TEMPLATE.py- Template for new service filesWINDSURF_RULES.md- Overall project standards
-
Clone the repository:
git clone https://github.com/cdot65/pan-scm-sdk.git cd pan-scm-sdk -
Install dependencies and pre-commit hooks:
make setup
Alternatively, you can install manually:
poetry install poetry run pre-commit install
This project uses ruff for linting and formatting:
# Run linting checks
make lint
# Format code
make format
# Auto-fix linting issues when possible
make fixWe use pre-commit hooks to ensure code quality before committing:
# Run pre-commit hooks on all files
make pre-commit-allThe following checks run automatically before each commit:
- ruff linting and formatting
- Trailing whitespace removal
- End-of-file fixer
- YAML/JSON syntax checking
- Large file detection
- Python syntax validation
- Merge conflict detection
- Private key detection
We welcome contributions! To contribute:
- Fork the repository.
- Create a new feature branch (
git checkout -b feature/your-feature). - Make your changes, ensuring all linting and tests pass.
- Commit your changes (
git commit -m 'Add new feature'). - Push to your branch (
git push origin feature/your-feature). - Open a Pull Request.
Ensure your code adheres to the project's coding standards and includes tests where appropriate.
This project is licensed under the Apache 2.0 License. See the LICENSE file for details.
For support and questions, please refer to the SUPPORT.md file in this repository.
Detailed documentation is available on our GitHub Pages documentation site.