Security & NAT policies
Browse and search every PAN-OS security and NAT rule with server-side filtering by zone, address, service, application, and action.
A self-hosted firewall analyzer for your Palo Alto estate.
SAMURAI reads your Palo Alto firewalls over the PAN-OS API and turns them into something searchable: security and NAT policies, decryption rules, address and service objects resolved to real protocols and ports, GlobalProtect and SSL-VPN sessions, and IPSec tunnels, with every configuration change detected and attributed to the admin who committed it. Self-hosted, air-gap friendly, and in the same dashboard as your FortiGate, Cisco, and the routers and switches around them.
Updated June 2026
What it reads from PAN-OS
Objects, resolved
Address and service groups (predefined, custom, and nested) expanded recursively at sync time, so a rule reads "HTTPS (tcp/443)", not an object name to chase.
Decryption policy visibility
SSL/TLS decryption rules surfaced next to the security policies they sit alongside.
VPN & GlobalProtect
IPSec tunnels, IKE gateways, GlobalProtect gateways, and SSL-VPN sessions in the same view as the policies that govern them.
Change tracking, commit-correlated
Every policy change diffed from real device state and attributed to the admin who committed it: PAN-OS edit-to-commit batches, not guesswork from logs.
Path tracing across the estate
Hop-by-hop path simulation through the Palo Alto firewalls plus the routers, switches, and ACI fabrics around them, with per-hop rule evaluation.
SAMURAI vs Panorama for visibility
Panorama is the Palo Alto management plane, built to push and provision policy across the Palo Alto fleet. SAMURAI is read-only and multi-vendor: it never changes configuration, and it sees your FortiGate and Cisco firewalls in the same dashboard. The two answer different questions.
Scope
SAMURAI
Palo Alto plus FortiGate, Cisco FMC/FTD, routers, switches, ACI, ISE, and vCenter in one view
Panorama
Palo Alto fleet management (single vendor)
Direction
SAMURAI
Read-only: it observes and reports, never pushes configuration
Panorama
Management plane: pushes and provisions policy
Change attribution
SAMURAI
Commit-correlated change timeline across every vendor, attributed to the admin
Panorama
Native admin and commit logs within Palo Alto
Deployment
SAMURAI
Single self-hosted Docker container, serving data in about five minutes
Panorama
Panorama appliance or VM, Palo Alto-licensed
If you manage a Palo Alto-only estate and need to provision policy, Panorama is the right tool. If you need to see and search your Palo Alto firewalls next to everything else on the network, and know who changed what, when, that is what SAMURAI is built for. Many teams run both.
Frequently asked questions
How does SAMURAI connect to Palo Alto?
Over the PAN-OS XML API, read-only. It pulls security and NAT policies, decryption rules, address and service objects, routing, and VPN/GlobalProtect state on a schedule and serves them from cache, so the dashboard is instant.
Does SAMURAI need Panorama?
No. It reads each firewall (or Panorama, if that is your management point) directly. It does not require Panorama and does not replace it: SAMURAI is read-only visibility, Panorama is the management plane.
Are service and address objects resolved?
Yes. Predefined, custom, and nested service and address groups are expanded recursively at sync time and annotated with real protocols and ports, so a rule reads "HTTPS (tcp/443)" instead of an object name.
How are Palo Alto changes attributed?
SAMURAI groups PAN-OS audit entries by edit-to-commit batches, so each detected policy change is tied to the admin who committed it, not inferred from syslog.
Can it run air-gapped?
Yes. One self-contained Docker image, an offline IEEE OUI database, and no telemetry. Nothing leaves your perimeter.
See your Palo Alto firewalls in one place.
Self-hosted, air-gap friendly, read-only. See it run against your own fleet.