topic Re: Security Profile - Mass change - Is there an easy way? in General Topics

Security Profile - Mass change - Is there an easy way?

Gareth.Doyle — Wed, 23 Oct 2019 18:28:14 GMT

I received a request to change the current security profile on 3,502 policies (spanning three VSYS) from a shared profile to a local profile. Is there a better way to do this than doing them individually through the GUI?

I don't even want to think about how long this would take if I have to do it through the GUI, not to mention the arthritis I'll have developed in my hand by the end of that.

Thanks.

Re: Security Profile - Mass change - Is there an easy way?

brianowen — Thu, 24 Oct 2019 03:46:22 GMT

Have you considered installing Expedition (https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool), then connecting Panorama to Expedition. If you don't have Panorama, you could import config of firewalls as well. You can then do a multi-edit on the policies and change the security profile and push back out to Pan. If you just imported the config into Expedition, you could also make the multi-edit changes in Expedition, export config and merge back into firewalls with the security profile change.

We recently used this approach for some migrations for zone, security profiles, and logging profiles.

Good Luck.

Re: Security Profile - Mass change - Is there an easy way?

Gareth.Doyle — Thu, 24 Oct 2019 12:14:55 GMT

That's a great suggestion, but I'm not sure the business side of things here would allow that. I can already hear their concerns going on in my head, but it is worth a shot.

Thanks!

Re: Security Profile - Mass change - Is there an easy way?

Gareth.Doyle — Fri, 25 Oct 2019 18:40:00 GMT

I worked with TAC and found the best way (for me) to do this. I have written out the process below in case someone else may find it useful. Please keep in mind I utilize Panorama, so this is written for that. I can't speak to any differences there may be in syntax between Panorama and doing it directly on a firewall.

Thanks.

1. Log into the Panorama GUI and create a local security profile for the VSYS you are working on.

2. Log into the Panorama CLI.

3. Enter command: set cli config-output-format set

4. Enter command: configure

5. Now we need to identify each rule that is utilizing the old security profile (in this case we'll call it OldSecurityProfile) so we run this next command. Please keep in mind that in this example the device-group (or VSYS) we will be working on is called Firewall-123, so wherever you see that referenced will need to be changed to match your needs:
show device-group Firewall-123 post-rulebase security rules | match OldSecurityProfile

6. After running the previous command we found that the policy "Security Policy Name" is set to use the OldSecurityProfile security profile and we want to change that to the new “New_Security_Profile” security profile.
set device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group OldSecurityProfile

7. Now we delete the previous security profile in that rule and set the new security profile with the delete and set commands:
delete device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group OldSecurityProfile
set device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group New_Security_Profile

8. Now commit and push to the firewall.