I found a KB but it's from 2016 and is no longer applicable.
I want to enable 'log at session start' on thousands of existing Security Pre-Rules across several Device Groups. I remember a multi-edit function but something's changed and I can't figure out how to do this. We're running Pano 8.0.8 and 7.1.8 on the firewalls.
First thing - you should really upgrade both code versions you're running.
7.1.8 was released in February of 2017, you're almost 2 years out of date. 8.0.8 was released in February of 2018, so it's better but still risky to run.
Both versions have critical and high risk security vulnerabilities:
PAN-SA-2017-0027 (fixed in 7.1.13+)
PAN-SA-2018-0008 (fixed in 7.1.16+, 8.0.9+)
PAN-SA-2017-0028 (fixed in 7.1.13+)
PAN-SA-2017-0025 (fixed in 7.1.12+)
That said, the simplest way would be to use the Expedition Migration Tool. It's not supported by Palo Alto Networks support, but the community is very active and your account team may be able to assist as well. Some more complex but stand-alone methods would be to export your running config and modify the device groups in question. You could also script it and use the API to update each of the rules.
Yep, understood and agreed on the outdated versions we're on. Politics slowing progress, unfortunately.
Anyway, thanks for the feedback. We're meeting with PA this week so I'll talk to them about Expedition.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!