Adding Security Profile Group to Policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Adding Security Profile Group to Policies

L2 Linker

Converting from ASA to PAN.

 

Is there a way to apply a  Security Profile Group to a large # of security policies. One can only create a snippet for the individual profiles but not for a group. Tried to edit the policy itself and manually add a group name. It took it, but when we open the policy back up, it is not there. 

 

One mentioned to crate a custom one. Tried that, but what "Type" was slected? There isn't a csutom one that we can file for a security profile group.

 

The PAN baseline config already has all the profiles and the group..

1 accepted solution
8 REPLIES 8

L2 Linker

Yes, you have to create a custom group. You can select all the security policies (I stick to 500 at a time) and add the Security Group, and/or Logging Profile, HIP, QoS, Schedules, etc...

 

For example, here is one I use called "Alert_Only_Sec_Profile_Group", which groups 4 other profiles (Snippets) together.

 

***************profile-group*******************
<entry name="Alert_Only_Sec_Profile_Group">
<virus>
<member>Anitvirus_Alert_Only_Profile</member>
</virus>
<spyware>
<member>Anti-Spyware_Alert_Only_Profile</member>
</spyware>
<vulnerability>
<member>Vulnerability_AlertOnly_Profile</member>
</vulnerability>
<wildfire-analysis>
<member>Alert_Only_WildFire_Profile</member>
</wildfire-analysis>
</entry>

L2 Linker

Yes you can.  You need to create a group manually which includes your Security profiles.  Then attach the group to your security profiles together in Expedition.  Here is a group I use which takes the Security Profiles (snipetts) and groups them.  

 

***************profile-group*******************
<entry name="Alert_Only_Sec_Profile_Group">
<virus>
<member>Anitvirus_Alert_Only_Profile</member>
</virus>
<spyware>
<member>Anti-Spyware_Alert_Only_Profile</member>
</spyware>
<vulnerability>
<member>Vulnerability_AlertOnly_Profile</member>
</vulnerability>
<wildfire-analysis>
<member>Alert_Only_WildFire_Profile</member>
</wildfire-analysis>
</entry>

Do you have to create a snippet of each of the profiles, in order to create the custom group? Am trying to avoid that and just create the group. Reason is, the baseline config already has all of the profiles, and I didn't want the tool to overwrite it. Thanks!

When you created the custom group, did you add it under Snippets? If so, what "Type" did you use? Did you leave it as default, All Types?

I guess you could create blank Snippets as long as the real thing is in the PAN/PANO.

Nope ! If you add an snippet "blank" the XML generation will probably fail !!. After you do the merge with your Base Config (add the profiles and groups there before import to Expedition for instance) then from the policies, right-click you will see an option called BULK CHANGES then select the profile group and select to ALL RULES 🙂

Thank you Albert for the tip.

  • 1 accepted solution
  • 8866 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!