https://live.paloaltonetworks.com/t5/panorama-discussions/removal-of-targets-from-policy/m-p/612188#M2556 <P>I have a number of firewalls managed in Panorama that are to be decommissioned.</P> <P>&nbsp;</P> <P>Some of these firewalls are in Device Groups with several thousand policy entries.&nbsp; Annoyingly they have been assigned the firewalls in the target column.</P> <P>&nbsp;</P> <P>Does anyone have a documented method as to how to remove targets from a Device Group in Panorama quickly and/or efficiently?</P> <P>&nbsp;</P> <P>Regards</P> Tue, 22 Oct 2024 13:36:56 GMT GrantCampbell4 2024-10-22T13:36:56Z https://live.paloaltonetworks.com/t5/panorama-discussions/removal-of-targets-from-policy/m-p/612188#M2556 <P>I have a number of firewalls managed in Panorama that are to be decommissioned.</P> <P>&nbsp;</P> <P>Some of these firewalls are in Device Groups with several thousand policy entries.&nbsp; Annoyingly they have been assigned the firewalls in the target column.</P> <P>&nbsp;</P> <P>Does anyone have a documented method as to how to remove targets from a Device Group in Panorama quickly and/or efficiently?</P> <P>&nbsp;</P> <P>Regards</P> Tue, 22 Oct 2024 13:36:56 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/removal-of-targets-from-policy/m-p/612188#M2556 GrantCampbell4 2024-10-22T13:36:56Z https://live.paloaltonetworks.com/t5/panorama-discussions/removal-of-targets-from-policy/m-p/614118#M2565 <P>We've had a scenario where we had to change hundreds of rules from targeting specific firewalls to target 'any'.</P> <P>In Panorama CLI you can use:<BR />#show | match "target devices &lt;serial&gt;</P> <P><BR />This will get you an output of 1000s of policies with that firewall as a target.</P> <P>#set device-group &lt;deviceGroup&gt; post-rulebase security rules &lt;ruleName&gt; target devices &lt;serial&gt; vsys vsys&lt;X&gt;</P> <P>&nbsp;</P> <P>Using that output you can edit in notepad to be for example: (really just need to change set to delete and remove the trailing vsys vsysX)</P> <P>#delete device-group &lt;deviceGroup&gt; post-rulebase security rules &lt;ruleName&gt; target devices &lt;serial&gt;</P> <P>&nbsp;</P> <P>If you get rid of all firewall targets on a rule, the rule target reverts to 'any' which sounds like what you're after.</P> <P>Bang the thousands of lines into CLI, if you haven't already, you may need to use the 'set cli config-output-format set' command&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps</P> Thu, 24 Oct 2024 00:57:12 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/removal-of-targets-from-policy/m-p/614118#M2565 chris.short 2024-10-24T00:57:12Z https://live.paloaltonetworks.com/t5/panorama-discussions/removal-of-targets-from-policy/m-p/614120#M2566 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/185420">@GrantCampbell4</a> ,</P> <P>&nbsp;</P> <P>Simplifying what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/102192">@chris.short</a> said:</P> <P>&nbsp;</P> <LI-CODE lang="markup">user@panorama&gt; set cli config-output-format set user@panorama&gt; configure user@panorama# show | match "target devices &lt;serial&gt;"</LI-CODE> <P>&nbsp;</P> <P>Copy output to notepad.&nbsp; Replace 'set' with 'delete' and paste into the CLI.&nbsp; The docs say if you want to paste more than 20 lines at a time, use the 'set cli scripting-mode on' command in operational mode.&nbsp; Then turn it off with 'set cli scripting-mode off'.</P> <P>&nbsp;</P> <P>You can omit the S/N in the show command to see all of the targets in the configuration.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 24 Oct 2024 01:32:33 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/removal-of-targets-from-policy/m-p/614120#M2566 TomYoung 2024-10-24T01:32:33Z