A firewall analyzer that reads Palo Alto PAN-OS directly.
SAMURAI is a self-hosted Palo Alto firewall analyzer that reads PAN-OS configuration state: security policies, NAT rules, decryption policies, address and service objects, and VPN tunnels. It reads configuration instead of logs, so the live rulebase and every change to it are commit-correlated to the administrator who made them, beside your Fortinet and Cisco estate.
Updated June 2026
What it reads from Palo Alto
Security policies
PAN-OS security rules with zones, addresses, services, and actions, searchable with server-side filtering across the whole rulebase.
NAT & decryption policies
Source and destination NAT plus SSL/TLS decryption policy, with address objects resolved to the real IPs they map to.
Objects, resolved to protocol/port
Predefined, custom, and grouped services resolved recursively, so a rule reads "service-https (tcp/443)", not a bare object name.
VPN visibility
IPSec tunnels, IKE gateways, GlobalProtect, and SSL-VPN sessions in the same view as the policies that govern them.
Commit-correlated change attribution
Every policy change detected from real device state and grouped by PAN-OS commit, so each diff is tied to the admin and the commit that produced it — no reliance on audit logs.
Multi-vendor context
Palo Alto sits beside Fortinet FortiGate, Cisco FMC/FTD, routers, switches, ACI, ISE, and vCenter: nine device types, one searchable dashboard.
How it compares to Palo Alto log analyzers
Tools that analyze Palo Alto traffic and threat logs tell you what traffic happened. SAMURAI reads PAN-OS configuration state — the policies, objects, and NAT themselves, plus every change to them.
Data source
SAMURAI
PAN-OS configuration read from the firewall
Palo Alto log analyzers
Traffic, threat, and system logs
Question answered
SAMURAI
What is the policy, and who committed what, when?
Palo Alto log analyzers
What traffic or threats were seen?
Scope
SAMURAI
Palo Alto plus FortiGate, Cisco, routers, switches, ACI, ISE, vCenter
Palo Alto log analyzers
Usually Palo Alto logs only
Deployment
SAMURAI
Single self-hosted Docker container, air-gap friendly
Palo Alto log analyzers
Log collector, SIEM, or SaaS pipeline
For traffic and threat-log analytics, a log analyzer or SIEM is the right fit. For PAN-OS policy visibility, object resolution, and commit-level change attribution across Palo Alto and everything around it, that is what SAMURAI is built for.
Frequently asked questions
How does SAMURAI read Palo Alto?
Over the PAN-OS XML API, read-only: security policies, NAT, decryption policies, address and service objects, and VPN configuration. No agent and no changes to the firewall.
Does it resolve Palo Alto service and address objects?
Yes. Predefined, custom, and grouped services are resolved recursively at sync time and shown with their protocol and port — for example "service-https (tcp/443)" — so you are not chasing object names.
Is this a Palo Alto log analyzer?
No — SAMURAI analyzes PAN-OS configuration state, not logs. For traffic and threat-log analytics, a SIEM or log tool is the right choice; SAMURAI focuses on the policy and its changes.
Can it attribute Palo Alto policy changes to an admin?
Yes. Changes are detected from real device state and grouped by PAN-OS commit, so each change is tied to the commit and the administrator who made it — without relying on the audit log.
Is there a free tier to evaluate?
Yes. A free test license ships with the SAMURAI Docker image on Docker Hub, no email required, so you can point it at your own Palo Alto firewall before talking to anyone.
How is it installed?
A single docker run on a VM that can reach your Palo Alto management interface. A typical deployment is serving data in about five minutes.