What is the most effective method for searching for usage of a hostname or IP address across our entire PA environment?
The goal is to be able to identify and delete objects and rules that have been created in our firewalls that correspond to hosts/IPs that have been retired from our environment. We get notified of those retirements, so I'd like to be able to easily scan our PA environment to determine if they were used anywhere. If they were, we'll go in and clean up any reference to them.
Our environment consists of Panorama and several firewalls. General Enterprise firewall settings come from Panorama to all firewalls, but local admins can add rules to their specific firewalls.
The best way to verify that would be do is from the CLI
1) Run the command set cli config-output-format set
2) PA-200>configure ( enter the configuration mode)
3) PA-200 # show ( just run the command 'show')
This will show you the entire configuration, and then you can search fro the ip by using the character '/' on the CLI output, then search for the string ( which in this case would be your IP address that has been retired). Doing this will highlight any match for the IP address in the configuration. Using the key 'n' will keep showing you the next match for the ip in the config, you can keep doing that and figure out where in the config is that Ip being referenced.
Hope this helps
Another suggestion is to export the running configuration file on an xml editor and search for "IP/hostname" that are in the retired list and we can find them. As we find them we can either delete the instance or edit it as needed.
Chatri and Phoenix have some good suggestions. However, I'm also curious about this but want a more 'global' perspective - like gwhyte mentioned - with Panorama and multiple firewalls, etc. The root objective for me, then, is to find a way to search all shared *and* local objects from one place! I'm not sure if this is possible but I'd like to hear from the PAN warriors out there...
In 5.0 software versions we do have a feature called "Export device State".
Seen under, Device Tab > Setup > Operations
This would export not just the local configuration file of the firewall but also has the configuration file for Shared config from panorama, template configuration from panorama certificates and so on.
We can search this section for object references and modify or edit as informed earlier.
Phoenix That makes sense, thank you. However, a person would be required to perform the export on each and every device/appliance that one manages, correct?
Yes you are right. One has to export manually each device where a change is needed and correct manually what ever changes have to be made.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!