Creating Loadable Configurations

The base templates are designed for variable substitution. The variables provide flexibility for templates configurations to be modified specific to each deployment.

A jinja model for variables is used with the form {{ variable }}


The configuration templates for device and Panorama system include jinja ‘if’ conditionals. These are used by the tool to determine what IP information should be added regarding the management interface.

If the tool or jinja formats will not be used, remove the {% text %} statements. The user will also have to manually replace the variables in order for the config to load and commit

Variables list and descriptions

The table below lists the template variables along with placeholder or recommended settings.

Variable name Default value Description
ADMINISTRATOR_USERNAME admin superuser id; prompted when using build_my_config tool
ADMINISTRATOR_PASSWORD admin [change first] superuser password; prompted and hashed in build_my_config
FW_NAME sample used for hostname and device-group/template in Panorama
TEMPLATE sample_template template for device specific configurations
STACK sample_stack Panorama sample template stack
DEVICE_GROUP sample_devicegroup Panorama sample device-group name
DNS_1 (Google) primary DNS server
DNS_2 (Google) secondary DNS server
NTP_1 primary NTP server
NTP_2 secondary NTP server
SINKHOLE_IPV4 IPv4 sinkhole address (Palo Alto Networks)
SINKHOLE_IPV6 2600:5200::1 IPv6 sinkhole address (IPv6 bogon)
INTERNET_ZONE internet baseline exception for reports
EMAIL_PROFILE_GATEWAY email profile gateway address; NET-1 default
EMAIL_PROFILE_FROM from address for email alerts
EMAIL_PROFILE_TO to address for email alerts
SYSLOG_SERVER syslog IP address; NET-1 unroutable default
CONFIG_EXPORT_IP config bundle export target from Panorama; NET-1 default
MGMT_TYPE dhcp-client Firewall mgmt IP type (dhcp-client or static)
MGMT_IP Firewall mgmt IP if type=static
MGMT_MASK Firewall netmask if type=static
MGMT_DG Firewall default gateway if type=static
CONFIG_PANORAMA_IP yes For build_my_config, determine if Panorama IP to be added
PANORAMA_TYPE standard Used in order to set mgmt interface for standard or cloud
PANORAMA_IP Panorama IP if to be added to my_config
PANORAMA_MASK Panorama netmask if to be added to my_config
PANORAMA_DG Panorama default gateway if to be added to my_config
INCLUDE_PAN_EDL yes Include the panw edl object security rules

Create Loadable Configuration python utility

The tools folder in the iron-skillet repo contains a simple python utility for variable substitution.

This tools folder can be found at

The directions below detail how to use the utility in a python virtual environment on Mac or Linux. Similar instructions can work for Windows with python and pip installed.


This tool is designed for Python 3.6 or layer.

Install the repo and tools

The initial step is to clone the repo to a local machine with release panos_v8.0.

Clone using ssh:

$ git clone -b panos_v8.0

Clone using https:

After the repo is cloned locally, the following steps are used to setup and activate the python virtual environment.


The example below shows python version 3.6 in the second step. If using python 3.5 or 3.7, replace with the respective version

$ cd iron-skillet/tools
$ python3.6 -m venv env
$ source env/bin/activate
(env)$ pip install -r requirements.txt

The virtual environment name is env and if active will likely be shown to the left of the command prompt. If successful, the iron-skillet templates and tools are now ready to use.

Update the variable values

Inside the tools directory, update the config_variables.yaml file then run The example shows the vi text editor but any text editor may be used.

(env)$ cd iron-skillet/tools  [if not in the tools directory]
(env)$ vi config_variables.yaml

Edit the config_variables.yaml file for your local deployment and save.

Key variables to edit include:

  • management interface type: static, dhcp-client, dhcp-cloud based on firewall deployment
  • Panorama deployment type: standard or cloud based on Panorama deployment

Run the application

Ensure the variable values are correct and run the application.

(env)$ python3
>>> Enter the name of the output directory:
>>> Enter the superuser administrator account username:
>>> Enter the superuser administrator account password:

This will run the python utility and output set commands and full xml config files. Loadable configs are stored in the loadable_configs directory. The config folder prefix is based on the output directory name used when running the script.


You will be prompted for a username/password that will be used in the configuruation file. A hash is created for the password so it is unreadable and the default admin/admin is removed. Remember the user/password information before committing to a running firewall or Panorama.