I need to add a lot of addresses (around 10,000) to my firewalls. I have them in a list and have created a script to add them one at a time. The problem is that this takes a long time. I then tried to add them all, but my URI was too long. So now I can add about 50 at a time. It still takes a while.
I also know that with the import command I can import a full config.
My question is this: Is there a way with the import command that I can add several addresses at once?
Is there a reason that you need to do this with the API? If this is a one-time event, you could do it pretty quickly through the CLI using the "scripting-mode" function. Here's what it looks like on a PA-4020 running 5.0.6 (via SSH console):
admin@pa4020> set cli scripting-mode on
(now paste in the 10000 lines of objects)
admin@pa4020# set address object00001 ip-netmask 220.127.116.11
admin@pa4020# set address object00002 ip-netmask 18.104.22.168
I also did the same thing on a PA-5050. The first 3000 will go pretty quick, and after that it will slow down quite a bit. The PA4020 was processing about 3-4 new objects/sec, while the PA5050 was adding about 7-8 entries/sec. Should be do-able in ~20 minutes if I had to extrapolate.
You could also export your configuration, add the objects manually in xml format and import again.
Shouldn't be hard to create a script to get the objects in PAN xml format:
Or you can load a partial configuration, but I have no experience with this yet.
Please answer the following questions:
As mschuricht is implying, having a lot of objects in your configuration can cause an additional load / configuration latency on your device. When adding an address, the device will parse the entire configuration file to check if the objects already exists etc.
50K objects is quite large. Are you actually using all of those objects?
This seems like a case for consolidation if possible to subnets and ranges where applicable as well as removing any unused objects.
Here is a script to identify unused objects to aid in a diagnosis: Unused and Duplicate Address Object Script
I would probably recommend moving to 5.1 for 64 bit support if you cannot reduce the number of objects. 5.1 requires 4 CPU cores and 4GB RAM at minimum. For a larger config it is recommended to move to 16GB of RAM. The release notes outline the recommended requirements as well as upgrade procedure if you decide to go this route.
I see what you did there... Trying to trick me into reading the documentation. :smileywink:
They will all be used. I upgraded to 5.1, but didn't actually read the release notes. Heading off to do that now.
a quick example script for the Office Pro IP ranges.. this would be expanded as needed.
set tag Office365-OP
set address Office365-OP01 tag Office365-OP ip-netmask 22.214.171.124
set address Office365-OP02 tag Office365-OP ip-netmask 126.96.36.199
set address Office365-OP03 tag Office365-OP ip-netmask 188.8.131.52
set address-group Office365-OP tag Office365 dynamic filter 'Office365-OP'
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!