topic Re: Search for hosts/IPs across entire PA environment in General Topics

Search for hosts/IPs across entire PA environment

gwhyte — Tue, 15 Oct 2013 16:31:20 GMT

What is the most effective method for searching for usage of a hostname or IP address across our entire PA environment?

The goal is to be able to identify and delete objects and rules that have been created in our firewalls that correspond to hosts/IPs that have been retired from our environment. We get notified of those retirements, so I'd like to be able to easily scan our PA environment to determine if they were used anywhere. If they were, we'll go in and clean up any reference to them.

Our environment consists of Panorama and several firewalls. General Enterprise firewall settings come from Panorama to all firewalls, but local admins can add rules to their specific firewalls.

Thanks

Re: Search for hosts/IPs across entire PA environment

Chatri — Wed, 16 Oct 2013 02:18:23 GMT

The best way to verify that would be do is from the CLI

1) Run the command set cli config-output-format set

2) PA-200>configure ( enter the configuration mode)

3) PA-200 # show ( just run the command 'show')

This will show you the entire configuration, and then you can search fro the ip by using the character '/' on the CLI output, then search for the string ( which in this case would be your IP address that has been retired). Doing this will highlight any match for the IP address in the configuration. Using the key 'n' will keep showing you the next match for the ip in the config, you can keep doing that and figure out where in the config is that Ip being referenced.

Hope this helps

Re: Search for hosts/IPs across entire PA environment

Phoenix — Wed, 16 Oct 2013 15:17:39 GMT

Hello,

Another suggestion is to export the running configuration file on an xml editor and search for "IP/hostname" that are in the retired list and we can find them. As we find them we can either delete the instance or edit it as needed.

Re: Search for hosts/IPs across entire PA environment

tommyluke — Wed, 16 Oct 2013 18:48:21 GMT

Chatri and Phoenix have some good suggestions. However, I'm also curious about this but want a more 'global' perspective - like gwhyte mentioned - with Panorama and multiple firewalls, etc. The root objective for me, then, is to find a way to search all shared *and* local objects from one place! I'm not sure if this is possible but I'd like to hear from the PAN warriors out there...

Re: Search for hosts/IPs across entire PA environment

Phoenix — Wed, 16 Oct 2013 18:52:13 GMT

Hello Tommy,

In 5.0 software versions we do have a feature called "Export device State".

Seen under, Device Tab > Setup > Operations

This would export not just the local configuration file of the firewall but also has the configuration file for Shared config from panorama, template configuration from panorama certificates and so on.

We can search this section for object references and modify or edit as informed earlier.

Thanks

Re: Search for hosts/IPs across entire PA environment

tommyluke — Wed, 16 Oct 2013 19:26:39 GMT

Phoenix That makes sense, thank you. However, a person would be required to perform the export on each and every device/appliance that one manages, correct?

Re: Search for hosts/IPs across entire PA environment

Phoenix — Wed, 16 Oct 2013 20:31:49 GMT

Tommy,

Yes you are right. One has to export manually each device where a change is needed and correct manually what ever changes have to be made.