https://live.paloaltonetworks.com/t5/general-topics/exporting-all-the-rules-and-sub-rules/m-p/525720#M108707 <P>Just to provide an update - support concluded the best way to export this information would be to manually export the security and NAT rules as CSV from every firewall GUI rather than going through Panorama.&nbsp;</P> <P>Logic being the firewall has the final set of all the rules including device specific rules so that will be the most "clean"</P> <P>&nbsp;</P> <P>Going through API - they were able to confirm the browser shouldn't output anything useful and one needs to go through Excel to potentially import the data.&nbsp; Since our setup has a self-signed certificate that Excel does not allow bypassing it seems like a dead end there.&nbsp;</P> <P>&nbsp;</P> <P>Also if you have any scripts or converters please share.&nbsp; I keep running into the post that says do a search you will find 4 or 5 and I can tell you it looks like the converter written in Python for PAN-OS 7 doesn't work with OS 10 configs.&nbsp; There is another Python one that seems to only work with device configs.&nbsp; &nbsp;</P> Tue, 03 Jan 2023 20:33:19 GMT AWongCA 2023-01-03T20:33:19Z https://live.paloaltonetworks.com/t5/general-topics/exporting-all-the-rules-and-sub-rules/m-p/525291#M108632 <P>I have been tasked with exporting all the rules from our Palo Altos for monthly review purposes.</P> <P>&nbsp;</P> <P>Panorama has shared rules as well as rules in each device group. Our firewalls have rules on them as well.</P> <P>&nbsp;</P> <UL> <LI>Support suggests using the PDF/CSV option on the shared rules. We have 10+ shared and sub device groups, and 20+ PA220s.&nbsp; Obviously this will work and will be a fantastic mess of CSV files but it will be good data. Tedious and mistake prone.&nbsp;</LI> <LI>I have looked into the API approach <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNutCAG" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNutCAG</A>&nbsp;. I have a feeling this may be outdated with version 10 software.&nbsp;</LI> <LI>I have tried to convert the XML backup files using a powershell script I found here which worked but then I was informed we need to include the NAT rules as well</LI> </UL> Tue, 27 Dec 2022 23:38:44 GMT https://live.paloaltonetworks.com/t5/general-topics/exporting-all-the-rules-and-sub-rules/m-p/525291#M108632 AWongCA 2022-12-27T23:38:44Z https://live.paloaltonetworks.com/t5/general-topics/exporting-all-the-rules-and-sub-rules/m-p/525309#M108636 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/186829">@AWongCA</a>&nbsp;,</P> <P>&nbsp;</P> <P>thanks for sharing! sorting through csv files can be tedious. You should be able to use <A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api" target="_self">XML API.</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 28 Dec 2022 03:37:41 GMT https://live.paloaltonetworks.com/t5/general-topics/exporting-all-the-rules-and-sub-rules/m-p/525309#M108636 JayGolf 2022-12-28T03:37:41Z https://live.paloaltonetworks.com/t5/general-topics/exporting-all-the-rules-and-sub-rules/m-p/525720#M108707 <P>Just to provide an update - support concluded the best way to export this information would be to manually export the security and NAT rules as CSV from every firewall GUI rather than going through Panorama.&nbsp;</P> <P>Logic being the firewall has the final set of all the rules including device specific rules so that will be the most "clean"</P> <P>&nbsp;</P> <P>Going through API - they were able to confirm the browser shouldn't output anything useful and one needs to go through Excel to potentially import the data.&nbsp; Since our setup has a self-signed certificate that Excel does not allow bypassing it seems like a dead end there.&nbsp;</P> <P>&nbsp;</P> <P>Also if you have any scripts or converters please share.&nbsp; I keep running into the post that says do a search you will find 4 or 5 and I can tell you it looks like the converter written in Python for PAN-OS 7 doesn't work with OS 10 configs.&nbsp; There is another Python one that seems to only work with device configs.&nbsp; &nbsp;</P> Tue, 03 Jan 2023 20:33:19 GMT https://live.paloaltonetworks.com/t5/general-topics/exporting-all-the-rules-and-sub-rules/m-p/525720#M108707 AWongCA 2023-01-03T20:33:19Z