Edit Security Policies simultaneously

L1 Bithead

Edit Security Policies simultaneously

Hi All,

I was wondering how can I edit all the security policy rules simultaneously If I want to make any change in specific field. For example I have 80 security rules and I want to change Source Address of each rule so how can I edit this field for all the 80 rules? Do I have to edit each rule individually or is there an easy way to do it? Any help would be appreciated

Tags (1)
L7 Applicator

Re: Edit Security Policies simultaneously

Hi @m.hassan96 

 

The WebUI does not offer a multi edit feature. But such tasks you can do easily on the CLI. When you set the output mode to "set" (set cli config-output-format set) you can display the rules you need (show rulebase security rules | match OBJECTNAME). Then copy this output to a texteditor, replace the old object with the new one and paste the lines to the CLI.

Highlighted
L7 Applicator

Re: Edit Security Policies simultaneously

Hello,

You can also download the XML config, modify it, then upload it. Just be carefull.

 

Cheers!

L7 Applicator

Re: Edit Security Policies simultaneously

@m.hassan96,

XML is my preferred way of modifying the configuration as you can put the XML file itself directly into source control. As @Otakar.Klier  mentioned you just have to ensure that you don't mess up the formatting, however the validation process (either ran seperatly when loading the config or during the commit process) should catch any issues you may make. The firewall also won't actually load a malformed XML file. 

L3 Networker

Re: Edit Security Policies simultaneously

Make sure to replace it with an object if possible instead of an address so you only have to change it in 1 place on the future!

L2 Linker

Re: Edit Security Policies simultaneously

Multi edit is a function people have been begging for since version 4!

 

Ironically the function has existed for ages in the Migration Tool and now Expedition.

 

Expedition is relatively easy to spin up. You can then connect your firewall to it to import the policy and perform your multi edits here. Then Expedition can push the policy back to the firewall via API.

 

Other than this, you're only options are ones already mentioned...

- Mass CLI commands probably written up in a spreadsheet

- Output the XML and manually edit it (highly suseptible to corruption)

- API automation (Basically what Expedition does for you).

 

EDIT: Forgot to include the link!

https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool

L4 Transporter

Re: Edit Security Policies simultaneously

I recommend using the "rename" command in the CLI.  It's quick, dirty and easy.  Here is a snippet from one of my other posts to rename rules.  You can just adapt this to "source IP" or whatever you are doing instead the the "rule name" in this example.

 

-----------------------

If you have a list of names (or just pull them from the config in the "set" formatting), you could probably script something out pretty quick with the "rename" statement in the cli.

 

Example from Panorama:

rename device-group grpGlobal pre-rulebase security rules grpGlobal-BlockKnownMalicious to grpWhateverYouWant

 

Example directly on Firewall:

rename rulebase security rules toBeChanged to newRuleName

L2 Linker

Re: Edit Security Policies simultaneously

PAN Configurator is a simple tool you can use to perform bulk edits, it's available from here:

 

https://github.com/cpainchaud/pan-configurator/tree/master/utils

 

It's quite easy to use on Mac, Linux or Windows.

 

Jason

L3 Networker

Re: Edit Security Policies simultaneously

@m.hassan96 

It can be easily do using the "multiedit" feature of Expedition migration tool 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!