[Day #54 Pyats Series] NETCONF validation for Cisco/Arista/Paloalto/Fortigate using pyATS for Cisco [Python for Network Engineer]

Post Views: 7

Table of Contents

Introduction on the Key Points

In the network automation world, NETCONF stands out as a powerful protocol to manage network devices in a structured, model-driven way. It uses YANG data models over SSH, providing fine-grained control, consistency, and programmability.

In today’s post of our “101 Days of pyATS (Vendor-Agnostic)” series, we explore how to validate NETCONF functionality across Cisco, Arista, Palo Alto, and Fortigate using Cisco’s pyATS framework. Whether you’re automating device configurations or validating API readiness in production, this NETCONF check is a must-have in your toolkit.

This tutorial is especially curated for those following Python for Network Engineer tracks, where vendor-agnostic testing and real-time validation are key.

Topology Overview

We’re using a basic lab topology with four multi-vendor devices and one automation host running pyATS.

All connections are made over SSH (TCP/830) or custom ports, depending on the vendor.

Topology & Communications

Here’s how devices interact over NETCONF:

Vendor	Protocol	Port	Auth Method	NETCONF Support
Cisco IOS-XE	SSH	830	Username/Password	Native via `netconf-yang`
Arista EOS	SSH	830	Username/Password	EOS 4.20+ with openconfig
Palo Alto	SSH	830	Username/Password	Enabled via API settings
Fortigate	SSH	830	Username/Password	Must enable via CLI

Workflow Script (Vendor-Agnostic NETCONF Validation using pyATS)

Here’s a unified Python script to validate NETCONF session establishment on all 4 platforms:

from genie.testbed import load
from ncclient import manager
import logging

# Suppress unwanted logging
logging.getLogger("ncclient.transport.session").setLevel(logging.CRITICAL)

# Load testbed
testbed = load('testbed.yml')

# Device list
devices = ['cisco_iosxe', 'arista_eos', 'palo_alto', 'fortigate']

for dev_name in devices:
    device = testbed.devices[dev_name]
    ip = device.connections.netconf.ip
    port = device.connections.netconf.port
    username = device.connections.netconf.username
    password = device.connections.netconf.password

    print(f"\nTesting NETCONF on: {dev_name.upper()} ({ip}:{port})")

    try:
        with manager.connect(
            host=ip,
            port=port,
            username=username,
            password=password,
            hostkey_verify=False,
            allow_agent=False,
            look_for_keys=False,
            timeout=10
        ) as m:
            print(f"[SUCCESS] Connected to {dev_name}")
            print("Server Capabilities:")
            for cap in m.server_capabilities:
                print(f" - {cap}")
    except Exception as e:
        print(f"[FAIL] Could not connect to {dev_name}: {e}")

Explanation by Line

from genie.testbed import load: Loads your structured testbed YAML file.
from ncclient import manager: ncclient is the Python library for NETCONF operations.
devices = [...]: A list of all vendor devices to iterate over.
manager.connect(...): Establishes NETCONF session using SSH credentials.
server_capabilities: Lists YANG models and operations supported by the device.

This script can be extended to validate specific YANG modules or configuration changes.

testbed.yml Example

devices:
  cisco_iosxe:
    os: iosxe
    type: router
    connections:
      netconf:
        protocol: ssh
        ip: 192.168.1.10
        port: 830
        username: admin
        password: cisco123

  arista_eos:
    os: eos
    type: switch
    connections:
      netconf:
        protocol: ssh
        ip: 192.168.1.11
        port: 830
        username: admin
        password: arista123

  palo_alto:
    os: panos
    type: firewall
    connections:
      netconf:
        protocol: ssh
        ip: 192.168.1.12
        port: 830
        username: admin
        password: palo123

  fortigate:
    os: fortios
    type: firewall
    connections:
      netconf:
        protocol: ssh
        ip: 192.168.1.13
        port: 830
        username: admin
        password: forti123

Post-validation CLI Screenshots (Real Expected Output)

Cisco IOS-XE

R1# show running-config | include netconf
netconf-yang

Arista EOS

arista# show management api netconf
Netconf is running.

Palo Alto

> show netconf
Status: enabled
Port: 830

Fortigate

config system global
set netconf enable
end

get system status | grep netconf

Once these settings are confirmed, pyATS + ncclient should successfully connect and validate NETCONF.

FAQs

1. What is NETCONF and why is it important in multi-vendor environments?

NETCONF (Network Configuration Protocol) is a network management protocol defined in RFC 6241 that enables reliable and secure configuration management via a client-server model over SSH.

Key Benefits:

Leverages YANG data models for configuration/state management
Ensures atomic transactions (rollback support)
Supports multi-vendor automation
Compatible with Cisco IOS-XE/XR, Arista EOS, Palo Alto NGFWs (PanOS 9+), FortiGate (limited YANG support)

For network automation engineers, NETCONF is essential when using structured APIs to maintain configuration consistency and extract operational data programmatically.

2. How do I enable NETCONF on Cisco, Arista, Palo Alto, and FortiGate devices?

Vendor	NETCONF Enable Command
Cisco IOS-XE	`conf t` → `netconf-yang`
Cisco IOS-XR	`ssh server v2` + `netconf agent tty`
Arista EOS	`management api netconf`
Palo Alto	Enabled by default on HTTPS port 443; accessible via `https://<fw>/api` (API key)
FortiGate	Requires FortiOS 6.2+ and enabling YANG/NETCONF via `config system global`

Note: Palo Alto exposes configuration via XML API (not pure NETCONF, but YANG-based structure applies). Fortinet support is limited; check specific model/YANG support.

3. What are typical validation tasks performed using NETCONF?

You can validate the following across vendors using NETCONF:

Hostname, interfaces, and routing state
Interface counters and IPs
ACLs and policy configurations
Platform hardware (CPU/Memory)
Configuration differences between baseline and current

In multi-vendor pipelines, NETCONF ensures uniform, structured data consumption via XML/YANG, which can be parsed using pyATS/Genie or Python’s ncclient.

4. What tools or libraries are used to perform NETCONF validation programmatically?

Most common Python tools:

ncclient: NETCONF client to send/get/modify configurations
pyats / Genie: Built-in support for parsing and modeling NETCONF output
lxml or xmltodict: Convert XML response to JSON/dictionaries
yang-explorer, confd, or Postman with XML: For schema exploration

Sample Python snippet using ncclient:

from ncclient import manager

with manager.connect(host='10.10.10.1', port=830, username='admin', password='admin123', hostkey_verify=False) as m:
    interfaces = m.get_config(source='running').data_xml
    print(interfaces)

5. How does NETCONF response differ between Cisco, Arista, Palo Alto, and FortiGate?

Vendor	Response Format	Comments
Cisco	Full YANG-compliant XML	Native + OpenConfig support
Arista	XML, compliant with OpenConfig and EOS-native models	Clean and predictable
Palo Alto	XML, API-like structure	Not full NETCONF, but structured XML
FortiGate	Limited XML/YANG response	Requires firmware 6.2+, varies by model

This makes normalization necessary in vendor-agnostic platforms — pyATS/Genie helps map different formats to a common structure.

6. What are common issues during NETCONF validation and how do I troubleshoot them?

Issue	Cause	Resolution
`Connection refused`	NETCONF service not enabled	Enable NETCONF/YANG under global config
`Timeout error`	SSH port (830) blocked	Allow TCP/830 in firewall or ACLs
`RPC Error`	Invalid filter or malformed XML	Validate XML/YANG filter syntax
`Empty response`	Incorrect model or no data present	Verify YANG model compatibility and filter scope

Use tools like ncclient, telnet <device> 830, or show netconf-yang sessions (Cisco) for validation.

7. Can I validate device configuration/state using pyATS with NETCONF?

Yes — pyATS can work with:

Device testbed with protocol: netconf
Custom test scripts or Genie parsers
Schema-based validation using XML/YANG

Example: Testbed snippet for NETCONF in pyATS:

devices:
  cisco-xe-1:
    os: iosxe
    type: router
    connections:
      netconf:
        protocol: netconf
        ip: 10.10.10.1
        port: 830
        username: admin
        password: admin123

Use genie learn with NETCONF to fetch stateful details and compare across devices.

8. How does NETCONF compare to RESTCONF and gNMI in modern network automation?

Feature	NETCONF	RESTCONF	gNMI
Transport	SSH (port 830)	HTTPs (port 443)	gRPC
Data Format	XML	JSON/XML	ProtoBuf
Vendor Support	Wide (Cisco, Arista, Palo Alto)	Medium (Cisco, Arista)	Growing (Arista, Nokia)
State Management	Yes (atomic ops, locks)	Limited	Yes
Ideal Use-Case	Structured config, legacy + modern	Web/Cloud automation	Streaming telemetry, model-driven ops

NETCONF is best suited for structured config/state tasks across traditional + programmable environments.

YouTube Link

Watch the Complete Python for Network Engineer: NETCONF validation for Cisco/Arista/Paloalto/Fortigate using pyATS for Cisco Lab Demo & Explanation on our channel:

Master Python Network Automation, Ansible, REST API & Cisco DevNet

Why Robot Framework for Network Automation?

Join Our Training

Want to master Python for Network Engineer along with DevNet APIs like NETCONF, RESTCONF, Ansible, pyATS, and multi-vendor automation?

Join our 3-month instructor-led course conducted by Trainer Sagar Dhawan (14+ years experience) and become industry-ready for network automation roles.

Learn complete workflows, real device labs (Cisco, Arista, Palo Alto, Fortigate), and automate like a pro!

View full syllabus here:
https://course.networkjourney.com/python-ansible-api-cisco-devnet-for-network-engineers/

This course is tailored for Python for Network Engineer enthusiasts like you who want to automate confidently across vendors.

Enroll Now & Future‑Proof Your Career
Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

21 DAYS CCNA BOOTCAMP	Click to Watch
PYTHON3/ANSIBLE for NETWORK AUTOMATION	Click to Watch
"FIREWALL MASTERY" : PA + FGT+ CP + ASA/FTD + F5 LTM	Click to Watch
OSPF+BGP+MPLS	Click to Watch
SDN ORCHESTRATION	Click to Watch

PYTHON NETWORK AUTOMATION	Read Course Outline
CCNA + CCNP ENTERPRISE	Read Course Outline
CCNA to CCIE SECURITY	Read Course Outline
CISCO DEVNET + DEVCOR	Read Course Outline
"MASTER CLOUD" : AZ700 + AWS + GCP	Read Course Outline
"FIREWALL MASTERY" : PA + FGT+ CP + ASA/FTD + F5 LTM	Read Course Outline
CISCO DNAC	Read Course Outline
CISCO ISE	Read Course Outline
MULTI-VENDOR TRAINING	Read Course Outline
SDN ORCHESTRATION	Read Course Outline

[Day #54 Pyats Series] NETCONF validation for Cisco/Arista/Paloalto/Fortigate using pyATS for Cisco [Python for Network Engineer]