https://live.paloaltonetworks.com/t5/next-generation-firewall/script-for-pulling-disabled-rule-in-set-format/m-p/1235531#M6171 <P>Hi Team&nbsp;<BR />I am trying to pull the details of disabled rule in set format. I am using pan-sdk .<BR />I can pull the complete list but not able to retrieve only rule which are disabled.<BR />And is to possible to pull rule in "set" format or need to use XML API ?<BR /><BR />Any pointer will help here.<BR /><BR />Thanks,</P> <P>Deepak</P> Wed, 06 Aug 2025 14:24:10 GMT D.Verma502651 2025-08-06T14:24:10Z https://live.paloaltonetworks.com/t5/next-generation-firewall/script-for-pulling-disabled-rule-in-set-format/m-p/1235531#M6171 <P>Hi Team&nbsp;<BR />I am trying to pull the details of disabled rule in set format. I am using pan-sdk .<BR />I can pull the complete list but not able to retrieve only rule which are disabled.<BR />And is to possible to pull rule in "set" format or need to use XML API ?<BR /><BR />Any pointer will help here.<BR /><BR />Thanks,</P> <P>Deepak</P> Wed, 06 Aug 2025 14:24:10 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/script-for-pulling-disabled-rule-in-set-format/m-p/1235531#M6171 D.Verma502651 2025-08-06T14:24:10Z https://live.paloaltonetworks.com/t5/next-generation-firewall/script-for-pulling-disabled-rule-in-set-format/m-p/1236273#M6223 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1466448807">@D.Verma502651</a>&nbsp;,&nbsp;</P> <P>There is one "quick and dirty" way to achieve what you want, without any scripting or API.</P> <P>Little fun facts first:<BR />- PanOS is utilizing the "less" pager when showing any file (being log or config file)</P> <P>- less has a build-in feature that allow you to show only the lines of the file which match a given pattern -&nbsp;<A href="https://man7.org/linux/man-pages/man1/less.1.html" target="_blank">https://man7.org/linux/man-pages/man1/less.1.html</A>&nbsp;</P> <BLOCKQUOTE><HR /> <PRE> &amp;pattern Display o<STRONG>nly lines which match the pattern</STRONG>; lines which do not match the pattern are not displayed. If pattern is empty (if you type &amp; immediately followed by ENTER), any filtering is turned off, and all lines are displayed. While filtering is in effect, an ampersand is displayed at the beginning of the prompt, as a reminder that some lines in the file may be hidden. Multiple &amp; commands may be entered, in which case only lines which match all of the patterns will be displayed.</PRE> <BR /><HR /></BLOCKQUOTE> <P>In a nutshell you have "grep" capabilities for the config file right in the firewall.</P> <P>&nbsp;</P> <P>Armed with this information you could:</P> <P>1. Login to Firewall/Panorama CLI</P> <P>2. Set the config output to set</P> <LI-CODE lang="markup">user@My-PAN-FW&gt; set cli config-output-format set</LI-CODE> <P>3. Enter configure mode and climb the configuration&nbsp;hierarchy</P> <LI-CODE lang="markup"># For Panorama [edit] user@My-Panorama# edit device-group My-PAN-FW pre-rulebase security [edit device-group My-PAN-FW pre-rulebase security] user@MY-Panorama# show # For Firewall [edit] user@My-PAN-FW# edit rulebase security [edit rulebase security] user@My-PAN-FW# show</LI-CODE> <P>4. As your firewall policy is longer than your terminal the output will be presented by the "less". While inside "less" you enter the "&amp;" followed by the pattern you search. In your case you look for all rules that are disabled&nbsp;</P> <LI-CODE lang="markup">&amp;disabled\ yes</LI-CODE> <P>Above will return all lines where the "disabled yes" is found. Since the output is in set format the name of the firewall rule will be in the same line.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 19 Aug 2025 22:13:16 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/script-for-pulling-disabled-rule-in-set-format/m-p/1236273#M6223 aleksandar.astardzhiev 2025-08-19T22:13:16Z