Adding Security Profile Group to Policies

Reply
L2 Linker

Adding Security Profile Group to Policies

Converting from ASA to PAN.

 

Is there a way to apply a  Security Profile Group to a large # of security policies. One can only create a snippet for the individual profiles but not for a group. Tried to edit the policy itself and manually add a group name. It took it, but when we open the policy back up, it is not there. 

 

One mentioned to crate a custom one. Tried that, but what "Type" was slected? There isn't a csutom one that we can file for a security profile group.

 

The PAN baseline config already has all the profiles and the group..

L2 Linker

Re: Adding Security Profile Group to Policies

Yes, you have to create a custom group. You can select all the security policies (I stick to 500 at a time) and add the Security Group, and/or Logging Profile, HIP, QoS, Schedules, etc...

 

For example, here is one I use called "Alert_Only_Sec_Profile_Group", which groups 4 other profiles (Snippets) together.

 

***************profile-group*******************
<entry name="Alert_Only_Sec_Profile_Group">
<virus>
<member>Anitvirus_Alert_Only_Profile</member>
</virus>
<spyware>
<member>Anti-Spyware_Alert_Only_Profile</member>
</spyware>
<vulnerability>
<member>Vulnerability_AlertOnly_Profile</member>
</vulnerability>
<wildfire-analysis>
<member>Alert_Only_WildFire_Profile</member>
</wildfire-analysis>
</entry>

L2 Linker

Re: Adding Security Profile Group to Policies

Yes you can.  You need to create a group manually which includes your Security profiles.  Then attach the group to your security profiles together in Expedition.  Here is a group I use which takes the Security Profiles (snipetts) and groups them.  

 

***************profile-group*******************
<entry name="Alert_Only_Sec_Profile_Group">
<virus>
<member>Anitvirus_Alert_Only_Profile</member>
</virus>
<spyware>
<member>Anti-Spyware_Alert_Only_Profile</member>
</spyware>
<vulnerability>
<member>Vulnerability_AlertOnly_Profile</member>
</vulnerability>
<wildfire-analysis>
<member>Alert_Only_WildFire_Profile</member>
</wildfire-analysis>
</entry>

L2 Linker

Re: Adding Security Profile Group to Policies

Do you have to create a snippet of each of the profiles, in order to create the custom group? Am trying to avoid that and just create the group. Reason is, the baseline config already has all of the profiles, and I didn't want the tool to overwrite it. Thanks!

L2 Linker

Re: Adding Security Profile Group to Policies

When you created the custom group, did you add it under Snippets? If so, what "Type" did you use? Did you leave it as default, All Types?

L2 Linker

Re: Adding Security Profile Group to Policies

I guess you could create blank Snippets as long as the real thing is in the PAN/PANO.

L7 Applicator

Re: Adding Security Profile Group to Policies

Nope ! If you add an snippet "blank" the XML generation will probably fail !!. After you do the merge with your Base Config (add the profiles and groups there before import to Expedition for instance) then from the policies, right-click you will see an option called BULK CHANGES then select the profile group and select to ALL RULES :-)

L3 Networker

Re: Adding Security Profile Group to Policies

Thank you Albert for the tip.

L7 Applicator

Re: Adding Security Profile Group to Policies

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!