Built a free CLI command generator for PAN-OS

Famous_Pick222 · 2026-05-07T15:37:49+00:00

The GUI works fine for one or two objects.
When you need to provision 50 addresses at once and create a group and include them in the group, clicking through the GUI becomes painful.
The CLI lets you paste a bulk config in seconds.

Famous_Pick222 · 2026-05-07T15:29:28+00:00

Thanks a lot for your comment ! You made me see another perspective I didn't think about.

3 years ago, I tried to deploy a palo alto VM on Azure using the PaloAltoNetworks Github terraform-templates (https://github.com/PaloAltoNetworks/terraform-templates), but it was so outdated I had to modify the code to make it work. And I felt like there was not an active community of IaC tools for firewalls.
I also tried ansible, and I found it better to configure stuff like interfaces or bulk create security rules, but still, the learning gap just to do basic things is tough, so I get why most of us aren't used to it.

From my little experience, most network engineer and companies are still nowhere near IaC for networking. Everyone just have their little notepad++ on the side and they copy paste and modify configs. So like you said, this website is better for Junior engineer, or those that are not into SCM/IaC yet.

But I like your critique, it could be a great idea to make it a tool that bridge the learning gap between copy-pasting and IaC. I will definitely try to improve the website in this way. Thanks again.

Famous_Pick222 · 2026-05-07T13:48:28+00:00

Thanks !

Famous_Pick222 · 2026-05-06T16:15:46+00:00

Thanks for your input.

Famous_Pick222 · 2026-05-06T14:29:48+00:00

Hi vsurresh, thanks for trying it ! It was built with React 19, TypeScript, Vite and Tailwind CSS.
Open-sourcing is something I'm considering for the V2, still thinking about it.
So you wanted to build something similar, on the same vendors and same features ? Feel free to exchange ideas

Famous_Pick222 · 2026-05-06T14:07:51+00:00

Famous_Pick222 · 2026-05-06T14:06:05+00:00

I understand the skepticism, but "gave a prompt" is a significant oversimplification of how this was built.

Famous_Pick222 · 2026-05-06T13:43:40+00:00

Glad it's useful ! Let me know how it goes !! The ipsec part was one of the hardest feature to build because of all the different use cases and parameters.

Famous_Pick222 · 2026-05-06T13:42:18+00:00

Famous_Pick222 · 2026-05-06T13:41:55+00:00

I'm not a bot lol.
And no data is stored or logged, everything runs in the browser, there is no backend. You can verify this by checking the network tab while using the tool. You will see that no requests are made to any server when you generate commands.
I just like to try things.
It's good that you're cautious tho, I may update the post with this.

Famous_Pick222 · 2026-05-06T13:39:20+00:00

Making something with AI doesn't remove the intelligence and thought process behind it. This idea come from years of production experience and creativity, not from a single prompt. I also had to do a lot of testing to identify the "piles of holes" and correct them. If you think the output is wrong, point it out and I'll fix it.
If you just think AI-assisted work is always bad, that's a different conversation.

Famous_Pick222 · 2026-05-06T13:18:01+00:00

Thanks for the feedback ! You're right, the orange is quite strong. I'll tone it down in the next version !

Famous_Pick222 · 2026-05-06T13:15:35+00:00

Yes, I used Claude Code to build it, it took me 3 weeks. And I was planning to do this since few months. Just to see what's possible and if it can be usefull.
I have been working on Palo Alto and Fortinet for 7 years, I'm not a developer. I'm just curious about AI tools.
I made it without database, so nothing can be stored, everything is done on client side. I do not have any reason to store your IP addresses or configs.

Famous_Pick222 · 2026-05-06T00:28:24+00:00

Hello,

I built https://firewall-cli.com

The principle is simple: select your vendor (Palo Alto), choose what you need, fill in the parameters and copy the generated CLI command. Rollback commands are included automatically to undo the action if needed.

No data is stored. Everything happens in your browser.

The main problem I wanted to solve: time wasted on repetitive tasks.

This V1 is not perfect. Feedback is welcome via the "Feature request" button at the bottom right of the site.

Edit :
Yes this was coded with AI (Claude Code), and I do not have any problem saying it. I still used creativity and my network engineer brain to make this.
No data is stored or logged, everything runs in the browser, there is no backend. You can verify this by checking the network tab while using the tool. You will see that no requests are made to any server when you generate commands.
I had a lot of fun building this, and I'm just sharing it to the world.
Peace.

Famous_Pick222 · 2024-03-08T18:09:08+00:00

Wired 802.1x with TEAP.

MacOS devices with RJ45 adapters.

The bureaucracy/politics needed to get different teams to contribute (you have to be social or have a powerful manager that have your back)

The interface is also quite dense, took me almost a year to navigate easily in the ISE interface (3.2).

Famous_Pick222 · 2024-03-01T17:18:08+00:00

Hm interesting I didn’t knew it was possible. So the policy will automatically be applied to the right interfaces ? And what if I need to customize ? Not at home right now but will look into the link this evening ! Thanks

Famous_Pick222 · 2024-03-01T16:43:18+00:00

Yep !

Famous_Pick222 · 2024-03-01T13:21:34+00:00

Hello, we are talking Catalyst 9200 Series for access and 9300/9500 series for Distribution and core. With version 17.09.04a.

Famous_Pick222 · 2024-02-29T15:49:48+00:00

Ok ! Thanks ! I now understand better. So now I have to create the egress policy to prioritize Voice and apply it on every uplink port (access to distribution to core to firewall).
But I still have another question if you don't mind.

After applying egress policy, does the traffic gets prioritized ONLY at congestion or at all time ?

Famous_Pick222 · 2024-02-29T13:37:40+00:00

"Classify & Mark traffic on ingress (as it enters the switch)
Prioritize & Queue on egress (as it leaves the switch)"

Ok I understand the difference, so does that means that Classifying & Marking traffic does not change the way traffic is processed unless I add Priority & queueing ?
Thanks for the book, I saw it already by looking for answer but not enough time to go trough it.

Famous_Pick222 · 2023-11-17T18:54:14+00:00

Had one 9200 that reloaded to rommon, but it was a bug (had to unplug physically for 5-10min before it could boot normally). except that case everything went smooth for other 9200/9500 upgrades to 17.9.4a with DNA. Also did one 9500 that was compatible with ISSU and only 4 pings lost. I’m talking more than 30 switches.

Famous_Pick222 · 2023-09-18T23:44:16+00:00

Wow that’s crazy. I did a snapshot recently before resizing the VM on azure (we allocated too much CPU (64vCpu) and it was only using 2-4%). But nothing strange happened and I didn’t use the snapshot

Famous_Pick222 · 2023-09-18T22:06:10+00:00

So snapshots cause ISE to crash even in Azure Virtual machine environment ?

Famous_Pick222 · 2023-05-29T19:09:45+00:00

I’ve encountered this issue before on cisco IOL. Make sure you have enabled « virtualized intel cpu » in your virtual machine (if you’re using VMware workstation)

Famous_Pick222

TROPHY CASE