topic Log forwarding profile in all security policies in General Topics

Log forwarding profile in all security policies

Javith_Ali — Wed, 14 Mar 2018 16:20:56 GMT

Is there any other way to configure Log forwarding profile in all 300+ security policies in single shot.

currently there is no log forwarding profile in all 300+ policies.

So below method is not applicable:

Not through web interface but you can export config out.

It is one single xml file.

Device > Setup > Operations > Export configuration version

Pick latest one from dropdown and click ok.

Then open this xml in your favourite text editor.

Find area between:

<rule base>

<security>

<rules>

and

</rules>

</security>

Everywhere you see "</entry>" and log-setting config does not precede:

Then replace this with:

<log-setting>Log-Forwarding-Policy</log-setting>

</entry>

Re: Log forwarding profile in all security policies

BPry — Wed, 14 Mar 2018 20:14:37 GMT

@Javith_Ali,

Is there a specific reason why you can't export the XML and modify it manually? That would be a fairly logical conclussion for what you are looking to do, and would honestly take the least amount of time. This is something you could script, but you would need to collect all of the security policy names to actually write that script.

Re: Log forwarding profile in all security policies

Remo — Wed, 14 Mar 2018 22:09:43 GMT

Other possibilities:

Script that first gets all existing rules and you then set the log forwarding profile with a foreach-loop in all existing rules
Issue the cli command "set cli config-output-format set", go into config mode, show the security rulebase and include match statement like source zone. This will show you a list with your rules which you can copy to a text editor to replace all source zone parts with "log-setting LOGFORWADRINGPROFILENAME". And finally paste all these commands into the cli and commit

@Javith_Ali it's now up to you which way to go...

Re: Log forwarding profile in all security policies

Raido_Rattameister — Thu, 22 Mar 2018 18:29:48 GMT

This link might give you some hints.

In your case you need to get list of rules like @Remo menioned and go from there.

https://live.paloaltonetworks.com/t5/General-Topics/Changing-Profiles-assigned-to-security-Rule/m-p/79284/highlight/true#M43228

Re: Log forwarding profile in all security policies

SteveKrall — Mon, 28 May 2018 18:55:30 GMT

Another option would be to dump config in "set format" to see the actual cli command. I suggest adding the log forward option to at least 1 policy so you have a reference cli command. Then you can sve this as a csv file. Then sort the relevant data and delete everything else. Then add the missing syntax. Then convert the csv back to text and paste as cli. But PAN script mode gets flaky if you paste more than 50 lines at a time. I wish they would fix that. This is why they like to merge portions of the xml file because script mode is unreliable for large pastes.

Re: Log forwarding profile in all security policies

cramman — Wed, 30 May 2018 16:07:42 GMT

Haven't seen this answer yet so needed to reply..

Migration Tool!!! (or Expedition as it's called now)

This is one of the best things about the tool - batch rule changes.

Setting Security Profiles on all rules, Log Forwarding, etc

Connect the FW (or Panorama) to the Migration Tool, ingest policies, multi-rule edit, then API push the rules back to Firewall.

Validate policies.

Commit!

Re: Log forwarding profile in all security policies

p768 — Tue, 19 Jun 2018 10:13:34 GMT

the pan-c tool will also allow you to do this.

https://github.com/cpainchaud/pan-configurator

Use the rules-edit function to update all your rules with the new log profile.

Re: Log forwarding profile in all security policies

CHammock — Fri, 08 Mar 2019 11:16:50 GMT

FYI, if you name the profile "default" all new security rules will apply the profile automatically. Same goes for security profile groups

Re: Log forwarding profile in all security policies

ian_johnston — Wed, 13 Mar 2019 18:52:22 GMT

For big pastes to CLI, use a terminal emmulator, like Secure CRT, that allows you to add a 'pause' between lines. I've used a pause of 50ms to paste several hundred lines at a time.

Re: Log forwarding profile in all security policies

SteveKrall — Tue, 10 Jan 2023 07:26:36 GMT

I realize this is an old post but I have been doing this for several years using the PAN Expedition tool. None of the ASAs have IPS/IDS so it was something I had to do for almost every conversion.

Re: Log forwarding profile in all security policies

kiwi — Thu, 12 Jan 2023 08:23:18 GMT

Hi @SteveKrall ,

Thanks for refreshing this topic !

As a reminder I'd like to point out that starting with PAN-OS 10.2 you can add Log Forwarding Profiles in bulk using the policy optimizer:

I'm sure this is huge improvement for many users wanting to make these kind of bulk changes.

Kind regards,

-Kiwi.

Re: Log forwarding profile in all security policies

anon4all — Tue, 26 Mar 2024 06:06:17 GMT

thx, this is exactly what should have been in OS from the beginning!