https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227886#M65549 <P>Or Panorama if you have it.</P> Wed, 22 Aug 2018 14:09:40 GMT OtakarKlier 2018-08-22T14:09:40Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227865#M65543 <P>Hi,</P><P>&nbsp; when you have 100-200 security rule and need to assign a threat security profile to all the rules, what do you do?</P><P>Does anyone know an easy way of doing it? I can either script it via XML API but there should be an easier way I think.</P><P>&nbsp;</P><P>thanks.</P> Wed, 22 Aug 2018 12:28:51 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227865#M65543 tirexxerit 2018-08-22T12:28:51Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227876#M65545 <P>Hello,</P><P>If they already have assigned a Group or Profile, you can just modify it, that way it will get applied. If you currently do not have any applied and need to apply one you can either do it by the XML method you mentioned, or I think there could be a way to script it via the API, but thats an area where I dont delve into. But I'm sure others may have another method.</P><P>&nbsp;</P><P>Regards,</P> Wed, 22 Aug 2018 13:24:20 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227876#M65545 OtakarKlier 2018-08-22T13:24:20Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227884#M65548 <P>No profile is attached actually and need to assign group profile to multiple firewalls.</P><P>There is a nice feature on URL filtering profile for example. You choose the action and say apply the action to all categories</P><P>which is quite handy but couldn't see such for security rules yet. Maybe on the roadmap.</P><P>If there is no built-in method, then I need to look into API.</P><P>&nbsp;</P><P>thanks.</P><P>&nbsp;</P> Wed, 22 Aug 2018 13:42:41 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227884#M65548 tirexxerit 2018-08-22T13:42:41Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227886#M65549 <P>Or Panorama if you have it.</P> Wed, 22 Aug 2018 14:09:40 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227886#M65549 OtakarKlier 2018-08-22T14:09:40Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227892#M65551 <P>I don't recall that panorama has such feature. If you don't mean assigning to device group and pushing it to multiple devices.</P><P>&nbsp;</P> Wed, 22 Aug 2018 14:24:35 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227892#M65551 tirexxerit 2018-08-22T14:24:35Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227893#M65552 <P>Sorry I didnt specify. If you have Panorama, you could make all the changes there and push those changes out to the different managed firewalls. However you would still need to assign the profiles to the different policies.</P> Wed, 22 Aug 2018 14:26:39 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227893#M65552 OtakarKlier 2018-08-22T14:26:39Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227895#M65553 <P>I've done this two ways, depending on how many times it will need to be done.</P><P>&nbsp;</P><P>The way i've done it when tehre are many firewalls or device groups to update is via scripting and teh XML API - I pull the policies with powershell, iterate through the policies adding the profiles or profile group, then push them back to teh firewall or panorama.&nbsp; it's pretty quick.</P><P>&nbsp;</P><P>If there is only one or two to do:</P><P>log into the CLI</P><P>issue the command "set cli config-output-format set" so that when you view the configuration it give set commands</P><P>enter edit mode</P><P>"show vsys vsys1 rulebase security | match 'action allow'" - this should give you a "list" of your rules, copy that to a text editor, so you can repalce "action allow" with 'profile-setting group "&lt;your profile group&gt;"' or the appropriate command to set the profile(s) you want.</P><P>paste the commands back into the firewall - be aware the buffer is relatively small, take 10-15 lines at a time</P> Wed, 22 Aug 2018 14:59:46 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227895#M65553 JoeAndreini 2018-08-22T14:59:46Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227911#M65558 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/80006">@tirexxerit</a>,</P><P>In addition to the method already specified by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83021">@JoeAndreini</a>:</P><P>1)&nbsp;You could use Expedition (The migration tool) and do this easily. Depending on experiance with the API or modifying the XML this would actually be my preffered method.&nbsp;&nbsp;</P><P>2) You could modify the XML directly and simply look in every entry within &lt;security&gt; and ensure that it has a &lt;profile-setting&gt; element. If you're comfortable with XML this is my preffered method.&nbsp;</P><P>&nbsp;</P><P>API scripts are great but you have to be very careful that it doesn't actually give a bad result on the rules. Making a script that accounts for these expections with the API can be a bit of a pain.&nbsp;</P> Wed, 22 Aug 2018 16:47:52 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227911#M65558 BPry 2018-08-22T16:47:52Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227978#M65572 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/83021">@JoeAndreini</a>&nbsp;wrote:<BR /><P>be aware the buffer is relatively small, take 10-15 lines at a time</P><HR /></BLOCKQUOTE><P>... or if you're using a SSH client that has this feature, set a delay of 150ms between the commands</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 22 Aug 2018 22:07:06 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227978#M65572 Remo 2018-08-22T22:07:06Z https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227986#M65574 <P>or use scripting-mode :<EM> set cli scripting-mode on</EM></P><P>&nbsp;</P><P>I never remember this exact command and often&nbsp;just paste 20 lines at a time rather than google it..</P> Wed, 22 Aug 2018 22:39:24 GMT https://live.paloaltonetworks.com/t5/general-topics/assigning-security-profile-to-multiple-security-rules/m-p/227986#M65574 JoeAndreini 2018-08-22T22:39:24Z