I was wondering how can I edit all the security policy rules simultaneously If I want to make any change in specific field. For example I have 80 security rules and I want to change Source Address of each rule so how can I edit this field for all the 80 rules? Do I have to edit each rule individually or is there an easy way to do it? Any help would be appreciated
The WebUI does not offer a multi edit feature. But such tasks you can do easily on the CLI. When you set the output mode to "set" (set cli config-output-format set) you can display the rules you need (show rulebase security rules | match OBJECTNAME). Then copy this output to a texteditor, replace the old object with the new one and paste the lines to the CLI.
XML is my preferred way of modifying the configuration as you can put the XML file itself directly into source control. As @Otakar.Klier mentioned you just have to ensure that you don't mess up the formatting, however the validation process (either ran seperatly when loading the config or during the commit process) should catch any issues you may make. The firewall also won't actually load a malformed XML file.
Make sure to replace it with an object if possible instead of an address so you only have to change it in 1 place on the future!
Multi edit is a function people have been begging for since version 4!
Ironically the function has existed for ages in the Migration Tool and now Expedition.
Expedition is relatively easy to spin up. You can then connect your firewall to it to import the policy and perform your multi edits here. Then Expedition can push the policy back to the firewall via API.
Other than this, you're only options are ones already mentioned...
- Mass CLI commands probably written up in a spreadsheet
- Output the XML and manually edit it (highly suseptible to corruption)
- API automation (Basically what Expedition does for you).
EDIT: Forgot to include the link!
I recommend using the "rename" command in the CLI. It's quick, dirty and easy. Here is a snippet from one of my other posts to rename rules. You can just adapt this to "source IP" or whatever you are doing instead the the "rule name" in this example.
If you have a list of names (or just pull them from the config in the "set" formatting), you could probably script something out pretty quick with the "rename" statement in the cli.
Example from Panorama:
rename device-group grpGlobal pre-rulebase security rules grpGlobal-BlockKnownMalicious to grpWhateverYouWant
Example directly on Firewall:
rename rulebase security rules toBeChanged to newRuleName
PAN Configurator is a simple tool you can use to perform bulk edits, it's available from here:
It's quite easy to use on Mac, Linux or Windows.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!