Perl Scripting to FW

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Perl Scripting to FW

L1 Bithead

So I got help from support and they gave me this nifty Perl example on how to get output from the firewalls.

However, I need to assign that output from the show command to a variable for further manipulation.  That was the whole purpose.

Does anyone know how to assign the outputs from the show commands to a variable?


And below is the script example:



use strict;

my $cmd = "ssh ssh\@";

my $line = "show system info";

open CLI, " | $cmd ";

print CLI "$line\n";

close CLI;


L1 Bithead

What do you want to do?

It's already saved in the $line variable. If you want to process it using the same script just use that variable,

The value of the variable $line is "show system info" ...  Printing $line gives me ... "show system info".

What I need is the output from the show command.

I want to assign that to a variable or be able to manipulate/parse it in the script to get meaningful information.

L1 Bithead

Ok first let's check your code, is it working?

my $cmd = "ssh ssh\@";  # external command to run, I assume you're using a UNIX in your computer

my $line = "show system info";               # Command to run

open CLI, " | $cmd ";                          #Executing the external command, in this case SSH login, you cand find more info in the following link but I prefer to use the backstiks

print CLI "$line\n";                               # you have the CLI opened so you just put the command there and print it

close CLI;                                             # you close the SSH external session

You have a lot of ways to put this working, you can use the Net:SSH module

And create an script like this one:

use Net::SSH::Perl;                                                  #Loading the SSH module

my $cmd = shift;                         #command to execute

   my $ssh = Net::SSH::Perl->new($host);               #opening the SSH session

   $ssh->login($user, $pass);                                   #login into the session

   my($stdout, $stderr, $exit) = $ssh->cmd($cmd);   # the output will be saved in the $stdout varaible 

If your script is working may be you can try

@output = print CLI "$line\n";                                              # @ indicates it's an array

Also the easiest one is that you already set up SSH keys betwen the PA FW and your script machine.

my @output = `ssh root@ "which perl"`;

There is more info in the next link

L0 Member

You need two pipes one for input and one for output, this document goes over using pipes in Perl,

Pipes (Programming Perl)

In the example CLI is a unidirectional pipe so the output will need to be returned through another pipe.

The example below will not work to get data back,

@output = print CLI "$line\n";

This example uses two pipes, it does require an extra library and you may have problems with line buffering.

use IPC::Open2;

open2(\*INPUT, \*OUTPUT, 'ssh ssh\@firewall');

print OUTPUT "show system info";

foreach $line (<INPUT>) {

     print "$line";


close INPUT;

close OUTPUT;

L1 Bithead

Neither methods seem to work with the palo alto.

They just hang after I enter my password...

I was able find the PAN::CLI module and was able to issue operation commands successfully.  However it seems to be one lined commands and very restrictive in what I can do.

I opened the PAN::CLI file and it uses the expect module to do most of it's work.

I can't follow it beyond that.

I just basically need a perl script example, that gets me to the basic point of working.

After doing some further reading I believe that you are having problems with line buffering as ssh doesn't auto flush the buffer.

I found this doc, PAN-perl: command line and Perl interface to PAN-OS XML API and CLI

I am working on reading through it now, it appears to cover aml api accesses to the PA also.

I was able to use the pancli tool that is part of PAN-perl-20121110.tar.gz

pancli lets you run a command on the PA and returns the output. I was able to make it work with only one pipe and it does not require buffer auto flushing. I wrote and tested the script on Debian 7 and I had to install the following library s,




The README file in PAN-perl-20121110.tar.gz covers the installation


use strict;


# run command on PA using "pancli"

# pancli is part of PAN-perl-20121110.tar.gz, found at


# the script runs the "show system info"print out each

# then prints each line

my $pa_cmd = "show system info";

my $raw_system_info;

# run command and catch returned data

$raw_system_info = pa_ctl($pa_cmd);

# send system data to be printed


sub pa_ctl {

   my $opperation = shift;

   my $cmd = 'pancli -l user:password -h';

   my $line;

   my $system_data;

   my @data;

   # pipe $opperation through pancli

   open PAN, "$cmd \"$opperation\" |";

   foreach $line (<PAN>) {

      chomp $line;

      push @data, $line;


   close PAN;

   $system_data = join ",", @data;

   return $system_data;


sub display_system_info {

   my $info = shift;

   my $i = 0;

   my $line;

   my $num_lines;

   my @system_info;

   @system_info = split ",", $info;

   $num_lines = @system_info;

   print "$num_lines lines of output\n";

   # print line number and line of info

   foreach $line (@system_info) {

      print "$i :-: $line\n";




pancli is a wrapper around PAN::CLI and the CLI_operational_mode_exec() method.  for documentation use 'perldoc'

I was able to use PAN:CLI to do one operational command.

What I need to do is run multiple commands and save output to a file or variable.

For example, I want all the shared addresses, address-groups, pre-rulebase security rules, etc.

That would require going into configure mode, running "show shared address", "show shared address-group", etc

Unfortunately, none of the scripts allow me to do that.

So far the only thing I've been able to do is use your first script but add the commands into an array.


use strict;

my $cmd = "ssh user\@";

my $line = "show system info";

my @cli;

push(@cli, "set cli config-output-format set\n");

push(@cli, "configure\n");

push(@cli, "show shared address\n");

push(@cli, "show shared address-group\n");

push(@cli, "show shared pre-rulebase security\n");

push(@cli, "exit\n");

push(@cli, "exit\n");

open CLI, " | $cmd ";

print CLI @cli;

close CLI;

However, it doesn't allow me for further manipulation.  I have to copy the contents and paste into a new file.  Which can be tedious.  It would be nice to have a script that can do that.  It doesn't have to be perl.  I would learn python if there is an easy way to ssh and run those commands all in session and be able to manipulate them in the end.

L3 Networker
  • 10 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!