topic Re: PAN CLI: Verifying Service Object Existence and Adding New Service Objects in General Topics https://live.paloaltonetworks.com/t5/general-topics/pan-cli-verifying-service-object-existence-and-adding-new/m-p/152965#M50527 <P>so I'll indirectly answer this question and hopefully this will rock your world.</P><P>&nbsp;</P><PRE># show</PRE><P>will display the candidate configuration, but by default, it's in XML format. so _outside_ of configure mode (for some reason), run the following command:</P><P>&nbsp;</P><PRE>set cli config-output-format set</PRE><P>that will set the show output to set commands. now when you run show in configure mode, you will see each entry in a clear, easy to use CLI syntax. You can actually use the service parameter to see just the services.</P><P>&nbsp;</P><PRE>admin@PA-220# show service set service service-https-mgmt protocol tcp port 4443 set service service-ssh protocol tcp port 22 set service service-plex protocol tcp port 32400</PRE><P>not only does this show you all the custom services (note the predefined service-http and service-https are not displayed), but it gives you the exact syntax to add additional ones via the CLI. If you have a lot of services, you can also supplement the command with | match &lt;filter&gt; at the end so it shows only matching service objects.</P><P>&nbsp;</P><PRE>admin@PA-220# show service | match "tcp port 22" set service service-ssh protocol tcp port 22</PRE><P>so to answer your questions, if you create a service object with the same name as an existing one, it will let you and just overwrite the existing object's values. if you create a new service object with a different name but the same protocol/port, it also well let you.</P><P>&nbsp;</P><P>my sage advice is to keep it simple and develop an administrative policy so that service objects are simply named for their protocol/port, such as tcp_22. using app names like I have before helps read better, but unless I also plan to have a service-sftp object, I'm just going to create a lot of unncessary 'duplicate' objects.</P> Tue, 18 Apr 2017 01:51:58 GMT bradk14 2017-04-18T01:51:58Z PAN CLI: Verifying Service Object Existence and Adding New Service Objects https://live.paloaltonetworks.com/t5/general-topics/pan-cli-verifying-service-object-existence-and-adding-new/m-p/152949#M50524 <P>I am starting to&nbsp;do more work via the CLI such as security rules. How can I check if a service object already exists using the CLI? And if it does not exist how do I add the service object to I can use it in my security rule?</P><P>&nbsp;</P><P>If I try to add a service object and the name already exists will the PAN warn me and not all that to be input?</P><P>What if the protocol and port are already represented by another service object name?</P><P>&nbsp;</P><P>Thank you.</P> Tue, 18 Apr 2017 00:18:39 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-cli-verifying-service-object-existence-and-adding-new/m-p/152949#M50524 palomed 2017-04-18T00:18:39Z Re: PAN CLI: Verifying Service Object Existence and Adding New Service Objects https://live.paloaltonetworks.com/t5/general-topics/pan-cli-verifying-service-object-existence-and-adding-new/m-p/152965#M50527 <P>so I'll indirectly answer this question and hopefully this will rock your world.</P><P>&nbsp;</P><PRE># show</PRE><P>will display the candidate configuration, but by default, it's in XML format. so _outside_ of configure mode (for some reason), run the following command:</P><P>&nbsp;</P><PRE>set cli config-output-format set</PRE><P>that will set the show output to set commands. now when you run show in configure mode, you will see each entry in a clear, easy to use CLI syntax. You can actually use the service parameter to see just the services.</P><P>&nbsp;</P><PRE>admin@PA-220# show service set service service-https-mgmt protocol tcp port 4443 set service service-ssh protocol tcp port 22 set service service-plex protocol tcp port 32400</PRE><P>not only does this show you all the custom services (note the predefined service-http and service-https are not displayed), but it gives you the exact syntax to add additional ones via the CLI. If you have a lot of services, you can also supplement the command with | match &lt;filter&gt; at the end so it shows only matching service objects.</P><P>&nbsp;</P><PRE>admin@PA-220# show service | match "tcp port 22" set service service-ssh protocol tcp port 22</PRE><P>so to answer your questions, if you create a service object with the same name as an existing one, it will let you and just overwrite the existing object's values. if you create a new service object with a different name but the same protocol/port, it also well let you.</P><P>&nbsp;</P><P>my sage advice is to keep it simple and develop an administrative policy so that service objects are simply named for their protocol/port, such as tcp_22. using app names like I have before helps read better, but unless I also plan to have a service-sftp object, I'm just going to create a lot of unncessary 'duplicate' objects.</P> Tue, 18 Apr 2017 01:51:58 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-cli-verifying-service-object-existence-and-adding-new/m-p/152965#M50527 bradk14 2017-04-18T01:51:58Z Re: PAN CLI: Verifying Service Object Existence and Adding New Service Obje https://live.paloaltonetworks.com/t5/general-topics/pan-cli-verifying-service-object-existence-and-adding-new/m-p/353148#M87284 <P>Simple way to check service-groups or services</P><P>&nbsp;</P><P>type configure</P><P>show service-group (name of the group)</P> Wed, 30 Sep 2020 21:39:21 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-cli-verifying-service-object-existence-and-adding-new/m-p/353148#M87284 Faraz_Iqbal 2020-09-30T21:39:21Z