04-16-2019 11:42 AM
Hi All,
I was wondering how can I edit all the security policy rules simultaneously If I want to make any change in specific field. For example I have 80 security rules and I want to change Source Address of each rule so how can I edit this field for all the 80 rules? Do I have to edit each rule individually or is there an easy way to do it? Any help would be appreciated
04-16-2019 11:52 AM
Hi @m.hassan96
The WebUI does not offer a multi edit feature. But such tasks you can do easily on the CLI. When you set the output mode to "set" (set cli config-output-format set) you can display the rules you need (show rulebase security rules | match OBJECTNAME). Then copy this output to a texteditor, replace the old object with the new one and paste the lines to the CLI.
04-16-2019 12:26 PM
Hello,
You can also download the XML config, modify it, then upload it. Just be carefull.
Cheers!
04-17-2019 12:16 PM
XML is my preferred way of modifying the configuration as you can put the XML file itself directly into source control. As @OtakarKlier mentioned you just have to ensure that you don't mess up the formatting, however the validation process (either ran seperatly when loading the config or during the commit process) should catch any issues you may make. The firewall also won't actually load a malformed XML file.
04-17-2019 03:36 PM
Make sure to replace it with an object if possible instead of an address so you only have to change it in 1 place on the future!
04-17-2019 08:09 PM - edited 04-17-2019 08:10 PM
Multi edit is a function people have been begging for since version 4!
Ironically the function has existed for ages in the Migration Tool and now Expedition.
Expedition is relatively easy to spin up. You can then connect your firewall to it to import the policy and perform your multi edits here. Then Expedition can push the policy back to the firewall via API.
Other than this, you're only options are ones already mentioned...
- Mass CLI commands probably written up in a spreadsheet
- Output the XML and manually edit it (highly suseptible to corruption)
- API automation (Basically what Expedition does for you).
EDIT: Forgot to include the link!
https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool
04-18-2019 07:43 AM - edited 04-18-2019 07:44 AM
I recommend using the "rename" command in the CLI. It's quick, dirty and easy. Here is a snippet from one of my other posts to rename rules. You can just adapt this to "source IP" or whatever you are doing instead the the "rule name" in this example.
-----------------------
If you have a list of names (or just pull them from the config in the "set" formatting), you could probably script something out pretty quick with the "rename" statement in the cli.
Example from Panorama:
rename device-group grpGlobal pre-rulebase security rules grpGlobal-BlockKnownMalicious to grpWhateverYouWant
Example directly on Firewall:
rename rulebase security rules toBeChanged to newRuleName
04-20-2019 04:25 AM
PAN Configurator is a simple tool you can use to perform bulk edits, it's available from here:
https://github.com/cpainchaud/pan-configurator/tree/master/utils
It's quite easy to use on Mac, Linux or Windows.
Jason
04-23-2019 05:04 AM - edited 04-23-2019 05:04 AM
It can be easily do using the "multiedit" feature of Expedition migration tool
11-11-2021 11:40 PM
Sorry for updating this.
Please be aware that pan-configurator was stopped, but continued under a new name and repository:
https://github.com/PaloAltoNetworks/pan-os-php
it has the same features set from pan-configurator, but already improved and extended.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
