Blog
Automating PAN-OS CLI Setup with a SecureCRT Login Script

Automating PAN-OS CLI Setup with a SecureCRT Login Script

February 26, 2026

Generally speaking, I consider myself a command-line-first person. And I’m a long-time fan of login scripts. As someone who spends a decent amount of time at the PAN-OS CLI, I thought it might be useful to share my SecureCRT script that runs every time I login to a Palo Alto Networks firewall. 4 quick commands that run without having to think about it. This login script can be adapted to other Terminal Emulation/SSH Clients out there.

What the commands do

set cli terminal width 190 — Increases the line width before wrapping. The default is narrow enough to make things like routing tables and long security policy rules wrap awkwardly. Setting this to 190 keeps output clean and readable. I use 190 because that’s the width of my SecureCRT window — adjust this to match your own terminal width.

set cli terminal height 50 — Sets the number of lines displayed before the --More-- prompt interrupts output. Bumping this up means less pagination interruption when reviewing long outputs. 50 is the height of my SecureCRT window — set this to whatever your terminal height is.

set cli terminal type linux — This is the one that fixes the various key annoyances and wonky screen output. Setting this to linux (and matching in SecureCRT) fixes all of the classic terminal emulation issues.

set cli config-output-format set — Changes configuration output from PAN-OS’s default, human-barely-readable format (XML) to individual set commands. This makes it dramatically easier to copy config snippets, document changes, and understand exactly what’s configured.

The SecureCRT login script

Save the following as a .py file somewhere on your machine (e.g. panos_login.py):

# $language = "python"
# $interface = "1.0"

def main():
    # screen sync command needed to wait for strings
    crt.Screen.Synchronous = True
    # wait until the login prompt shows up
    crt.Screen.WaitForStrings ([ "#", ">"])
    # send commands and a \n for return
    crt.Screen.Send ("set cli terminal width 190")
    crt.Screen.Send ( "\n")
    crt.Screen.Send ("set cli terminal height 50")
    crt.Screen.Send ( "\n")
    crt.Screen.Send ("set cli terminal type linux")
    crt.Screen.Send ( "\n")
    crt.Screen.Send ("set cli config-output-format set")
    crt.Screen.Send ( "\n")
    # screen sync command no longer needed
    crt.Screen.Synchronous = False
main()

Setting it up in SecureCRT

  1. Right-click your firewall session in the Session Manager and choose Edit Session
  2. Navigate to Connection → Logon Actions
  3. Under Login Script, check Run Script and browse to your saved .py file
  4. Click OK

The next time you connect, SecureCRT will wait for the firewall prompt (# or >) and then send all four commands automatically before handing control back to you.

Derek del Barrio is CEO and Lead Systems Engineer at Solid Border. He’s spent over 25 years in IT security and has had a soft spot for Palo Alto Networks firewalls since 2009.

Bing, Google, and YouTube Safe Search