https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/123640#M46238 <P>Hi all,</P><P>&nbsp;</P><P>I am looking to add around 60+ NAT rules for monitoring over IPsec that requires a policy NAT. I need to have them above another rule in the list for it to work. It is a very messy NAT list that I don't have the freedom to clean up. The NAT entries are being added to a device group in Panorama.</P><P>&nbsp;</P><P>Thanks in advance,</P><P>&nbsp;</P><P>Danny</P> Thu, 03 Nov 2016 13:55:17 GMT ixnneteng 2016-11-03T13:55:17Z https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/123640#M46238 <P>Hi all,</P><P>&nbsp;</P><P>I am looking to add around 60+ NAT rules for monitoring over IPsec that requires a policy NAT. I need to have them above another rule in the list for it to work. It is a very messy NAT list that I don't have the freedom to clean up. The NAT entries are being added to a device group in Panorama.</P><P>&nbsp;</P><P>Thanks in advance,</P><P>&nbsp;</P><P>Danny</P> Thu, 03 Nov 2016 13:55:17 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/123640#M46238 ixnneteng 2016-11-03T13:55:17Z https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/123896#M46255 <P>Hi Danny,</P><P>&nbsp;</P><P>As I understand, in short, you want to add 60+ NAT rule to be above an existing rule.</P><P>&nbsp;</P><P>If that is the situation, you can configure the new NAT rules, and after you are done, clone this existing NAT rule, you can choose to have the new cloned rule to be after any rule you specify. After you clone it, delete old one.</P><P>&nbsp;</P><P>Hope this helps,</P><P>Haytham</P> Thu, 03 Nov 2016 22:17:41 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/123896#M46255 hzayed 2016-11-03T22:17:41Z https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/124112#M46277 <P>That would be the proper way to do it. I don't believe that you can actually do this automatically in the CLI, it's something that you have to modify after.&nbsp;</P><P>I really wouldn't clone your existing rule and move it, just move the NAT rule that you need above the new ones.&nbsp;</P> Fri, 04 Nov 2016 14:31:41 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/124112#M46277 BPry 2016-11-04T14:31:41Z https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/124229#M46293 <P>You can re-order using the CLI but you can't create rules with sequence numbers to place them where you want in the policy. (That would be a nice feature)</P><P>So if you really wanted to get the rules in order as you go, you would have to use a 'move' command after creating each nat rule.</P><P>Maybe something like this, depending on what order you want things in.</P><P>set device-group &lt;groupname&gt; pre-rulebase nat rules NAT1 .......</P><P>move device-group &lt;groupname&gt; pre-rulebase nat rules NAT1 before CURRENTNAT (or you could use 'top' instead of 'before' if you want it first)</P><P>set device-group &lt;groupname&gt; pre-rulebase nat rules NAT2 .......</P><P>move device-group &lt;groupname&gt; pre-rulebase nat rules NAT2 before CURRENTNAT (or you could use 'after NAT1' if you want it beneath)</P> Fri, 04 Nov 2016 21:27:12 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-nat-rule-order-in-panorama-cli/m-p/124229#M46293 RFalconer 2016-11-04T21:27:12Z