https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon-restarts-with/ta-p/1253717 <DIV class="lia-message-template-content-zone"> <P>In my previous article, <I data-index-in-node="24" data-path-to-node="6">“<A href="https://live.paloaltonetworks.com/t5/community-blogs/automating-the-palo-alto-ngfw-s-process-deamon-restarts/ba-p/531963" target="_blank" rel="noopener">Automating the Palo Alto NGFW's Process/Deamon Restarts</A>,”</I> I detailed how to orchestrate process restarts using TCL Expect paired with Bash scripts. While TCL Expect remains a classic approach for SSH-based network automation, modern engineering workflows are far better served by utilizing Python alongside the <CODE data-index-in-node="336" data-path-to-node="6">pexpect</CODE> module. <I data-index-in-node="352" data-path-to-node="6">(I highly recommend reviewing that original article for foundational context).</I></P> <P>&nbsp;</P> <P>I also previously demonstrated how to achieve this scale using Ansible AWX inside LIVEcommunity (<I data-index-in-node="97" data-path-to-node="7">“<A href="https://live.paloaltonetworks.com/t5/general-articles/use-ansible-awx-to-automate-the-palo-alto-ngfw-s-management-and/ta-p/1252412" target="_blank" rel="noopener">Use Ansible AWX to automate the Palo Alto NGFW's management and even Process/Daemon Restarts!</A>”</I>). <SPAN class="citation-511">However, if your environment already runs </SPAN><STRONG data-index-in-node="237" data-path-to-node="7"><SPAN class="citation-511">Cortex XSOAR</SPAN></STRONG><SPAN class="citation-511"> or </SPAN><STRONG data-index-in-node="253" data-path-to-node="7"><SPAN class="citation-511">Cortex XSIAM</SPAN></STRONG><SPAN class="citation-511 citation-end-511">, spinning up an entire multi-container Ansible AWX infrastructure—potentially managed on top of Kubernetes (K8s)—just to trigger a process restart is likely excessive.</SPAN></P> <P>&nbsp;</P> <P><SPAN class="citation-511 citation-end-511">Because Cortex XSOAR already features robust, native content packs for standard PAN-OS commands (<A href="https://cortex.marketplace.pan.dev/marketplace/details/PANOS/" target="_blank" rel="noopener">available via the Palo Alto Networks Marketplace</A>), we can streamline the architecture. By embedding a custom <CODE data-index-in-node="206" data-path-to-node="8">pexpect</CODE> script directly into XSOAR, the process restart logic integrates cleanly into a broader, automated CI/CD pipeline without the overhead of external container orchestrators.</SPAN></P> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="nikoolayy1_0-1778420526161.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/71379iD9B52E9967853F4E/image-size/large?v=v2&amp;px=999" role="button" title="nikoolayy1_0-1778420526161.png" alt="nikoolayy1_0-1778420526161.png" /></span> <P>&nbsp;</P> <P>To get started, you will need an environment running Ubuntu with Python 3 (installed by default in recent Ubuntu distributions). We recommend using a Python virtual environment (<CODE data-index-in-node="178" data-path-to-node="9">venv</CODE>) to isolate your <CODE data-index-in-node="200" data-path-to-node="9">pip</CODE> packages. Think of a virtual environment as one of the original forms of virtualization pre-dating Docker containers—though, as demonstrated at the end of this guide, building a dedicated container remains a highly effective option as well.</P> <P>&nbsp;</P> <LI-CODE lang="markup">python3 --version Python 3.12.3 apt install -y python3-venv python3 -m venv /home/niki/panos-venv source /home/niki/panos-venv/bin/activate pip install pexpect packaging </LI-CODE> <P>&nbsp;</P> <P>The script below demonstrates how to programmatically restart a specific daemon process across multiple Palo Alto Networks firewalls sequentially. The script reads targeted firewall management IP addresses or hostnames line-by-line from a local file named <CODE data-index-in-node="256" data-path-to-node="4">firewalls.txt</CODE> located in the same directory.</P> <P>&nbsp;</P> <LI-CODE lang="python">#!/usr/bin/env python3 import pexpect import sys import getpass USERNAME = input("Username: ") PASSWORD = getpass.getpass("Password: ") # # Process variable # PROCESS_NAME = "web-server" PROMPT = r"\S+@\S+&gt;" with open("firewalls.txt") as f: FW_LIST = [line.strip() for line in f if line.strip()] for FW_IP in FW_LIST: print(f"\n===== CONNECTING TO {FW_IP} =====\n") child = pexpect.spawn( f"ssh -tt -o StrictHostKeyChecking=no {USERNAME}@{FW_IP}", encoding="utf-8", timeout=120 ) child.logfile = sys.stdout # # Login # child.expect("Password:") child.sendline(PASSWORD) child.expect(PROMPT) # # CLI settings # child.sendline("set cli scripting-mode on") child.expect(PROMPT) child.sendline("set cli pager off") child.expect(PROMPT) child.sendline("set cli terminal width 500") child.expect(PROMPT) # # Restart process # COMMAND = f"debug software restart process {PROCESS_NAME}" print(f"\nRunning command: {COMMAND}\n") child.sendline(COMMAND) # # Wait for command echo # child.expect(COMMAND) # # Wait for prompt # child.expect(PROMPT) output = child.before print("\n========== COMMAND OUTPUT ==========\n") print(output) print("\n====================================\n") # # Exit # child.sendline("exit") child.expect(pexpect.EOF) print(f"\nSession closed for {FW_IP}\n")</LI-CODE> <P>&nbsp;</P> <P data-path-to-node="3">Below is an example execution trace running the automation script. The username and password credentials are securely collected at runtime via prompt inputs, and the target firewall parameters are parsed sequentially out of the local <CODE data-index-in-node="234" data-path-to-node="3">firewalls.txt</CODE> file.</P> <P data-path-to-node="3">&nbsp;</P> <P data-path-to-node="4">In this execution log, the script successfully authenticates to the firewall, configures the terminal environment variables, and executes the target daemon restart command:</P> <P>&nbsp;</P> <LI-CODE lang="markup"> python restart-script.py sslmgr Username: admin Password: ===== CONNECTING TO 192.168.1.108 ===== (admin@192.168.1.108) Password: xxxx Last login: Sun May 10 09:12:46 2026 from 192.168.1.106 Number of failed attempts since last successful login: 0 admin@PA-VM&gt; set cli scripting-mode on admin@PA-VM&gt; set cli scripting-mode on set cli pager off set cli terminal width 500 Running command: debug software restart process sslmgr debug software restart process sslmgr set cli pager off admin@PA-VM&gt; set cli terminal width 500 admin@PA-VM&gt; debug software restart process sslmgr admin@PA-VM&gt; ========== COMMAND OUTPUT ========== ==================================== exit exit Process sslmgr was restarted by user admin admin@PA-VM&gt; Connection to 192.168.1.108 closed. Session closed for 192.168.1.108 </LI-CODE> <P>&nbsp;</P> <P>The source code for this automation script is available on my GitHub repository:</P> <P>&nbsp;</P> <P>&nbsp;<A href="https://github.com/Nikoolayy1/palo-alto-python-scripts/tree/main" target="_blank" rel="noopener">Nikoolayy1/palo-alto-python-scripts</A></P> <P>&nbsp;</P> <P>For almost all other operational and configuration tasks, I highly recommend using the&nbsp;<A href="https://pan-os-python.readthedocs.io/en/latest/getting-started.html" target="_blank" rel="noopener">Palo Alto Networks PAN-OS SDK for Python 1.12.1 documentation</A>.</P> <P>&nbsp;</P> <P>If you try to run a standard operational command like <CODE data-index-in-node="54" data-path-to-node="6">show system info</CODE> via raw SSH and extract specific values (such as the software version) using Python's <CODE data-index-in-node="157" data-path-to-node="6">re</CODE> (regex) or <CODE data-index-in-node="171" data-path-to-node="6">xml</CODE> modules, you will quickly find that parsing raw text or complex XML schemas is incredibly difficult and prone to breaking. Just stick with the&nbsp; Python SDK that uses the API and only use the pexpect module for process restarts.</P> <P>&nbsp;</P> <P>For the python SDK you will need the below python packages:</P> <LI-CODE lang="markup">pip install pan-os-python pip install setuptools</LI-CODE> <P>&nbsp;</P> <P>Example code is:</P> <P>&nbsp;</P> <LI-CODE lang="python"> fw = Firewall( hostname=FW_IP, api_username=USERNAME, api_password=PASSWORD, ) result = fw.op("show system info") sw_version = result.find(".//sw-version").text hostname = result.find(".//hostname").text logdb_version = result.find(".//logdb-version").text print("hostname:", hostname) print("sw-version:", sw_version) print("logdb-version:", logdb_version</LI-CODE> <P>&nbsp;</P> <P data-path-to-node="1">Emphasizing the power of combining the two tools (the Python SDK for conditional checking and <CODE data-index-in-node="139" data-path-to-node="1">pexpect</CODE> for execution) to build smart automation.</P> <P data-path-to-node="3">&nbsp;</P> <P data-path-to-node="3">You can find a complete, end-to-end example on my GitHub repository demonstrating how to combine these two methodologies effectively.</P> <P data-path-to-node="4">The complete script uses the PAN-OS Python SDK to cleanly query the firewall's current software version. If the SDK detects a specific target baseline—for instance, PAN-OS <CODE data-index-in-node="172" data-path-to-node="4">10.1.4</CODE>—the script then conditionally triggers the fallback <CODE data-index-in-node="231" data-path-to-node="4">pexpect</CODE> SSH routine to perform the daemon process restart.</P> <P data-path-to-node="5">Attempting to build this type of conditional logic using legacy TCL Expect would be extraordinarily difficult. Fetching raw SSH output, passing it across tools, and attempting to parse the string variables manually using regex or Bash filters is simply too fragile for modern production workflows. Combining the native SDK with <CODE data-index-in-node="328" data-path-to-node="5">pexpect</CODE> provides a highly robust, enterprise-ready automation wrapper.</P> <P>&nbsp;</P> <P><A href="https://github.com/Nikoolayy1/palo-alto-python-scripts/blob/main/restart-if-version.py" target="_blank" rel="noopener">palo-alto-python-scripts/restart-if-version.py at main · Nikoolayy1/palo-alto-python-scripts</A></P> <P>&nbsp;</P> <P data-path-to-node="3">To package your automation dependencies seamlessly and ensure your scripts run consistently across your entire team, you can wrap your environment inside a Docker container.</P> <P data-path-to-node="4">&nbsp;</P> <P data-path-to-node="4">The configuration below establishes a persistent volume mount between your host operating system's directory (<CODE data-index-in-node="110" data-path-to-node="4">&lt;home directory&gt;/scripts/py</CODE>) and the container workspace. This allows you to easily share and modify Python scripts on your local system while the container handles the secure execution baseline.</P> <P>&nbsp;</P> <LI-CODE lang="markup">cat Dockerfile FROM python:3.11-slim RUN apt-get update &amp;&amp; apt-get install -y \ openssh-client \ sshpass \ iputils-ping \ curl \ &amp;&amp; rm -rf /var/lib/apt/lists/* RUN pip install --no-cache-dir \ pexpect \ packaging \ pan-os-python WORKDIR /app COPY . /app CMD ["/bin/bash"] docker build -t panos-python:1.0 . docker run -it --rm -v /home/niki/scripts/py:/app panos-python:1.0</LI-CODE></DIV> Tue, 09 Jun 2026 13:30:44 GMT nikoolayy1 2026-06-09T13:30:44Z https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon-restarts-with/ta-p/1253717 <P>Discover how to streamline your Palo Alto Networks NGFW operations by leveraging the power of Python, <CODE data-index-in-node="276" data-path-to-node="2">pexpect</CODE>, and the PAN-OS Python SDK to conditionally trigger daemon process restarts. Learn how to integrate this lean logic straight into your Cortex XSOAR/XSIAM CI/CD pipelines or package it seamlessly across your team using Docker containers.</P> Tue, 09 Jun 2026 13:30:44 GMT https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon-restarts-with/ta-p/1253717 nikoolayy1 2026-06-09T13:30:44Z https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon-restarts-with/tac-p/1255770#M862 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/153031">@nikoolayy1</a>&nbsp;Terrific breakdown! I really appreciate the context you provided around Cortex XSOAR!</P> Tue, 09 Jun 2026 21:12:35 GMT https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon-restarts-with/tac-p/1255770#M862 crasmussen 2026-06-09T21:12:35Z https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon-restarts-with/tac-p/1255899#M864 <P>Another great contribution <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/153031">@nikoolayy1</a>,&nbsp;thank you for sharing! The depth of knowledge and practical experience you bring to your content is always evident, and it is a real benefit to the community. Appreciate you taking the time to share your expertise.&nbsp;<span class="lia-unicode-emoji" title=":folded_hands:">🙏</span></P> Wed, 10 Jun 2026 16:00:29 GMT https://live.paloaltonetworks.com/t5/general-articles/automating-the-palo-alto-ngfw-s-process-deamon-restarts-with/tac-p/1255899#M864 Masharad 2026-06-10T16:00:29Z