Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-29-2018 10:59 AM - edited 10-29-2018 01:29 PM
Converting from ASA to PAN.
Is there a way to apply a Security Profile Group to a large # of security policies. One can only create a snippet for the individual profiles but not for a group. Tried to edit the policy itself and manually add a group name. It took it, but when we open the policy back up, it is not there.
One mentioned to crate a custom one. Tried that, but what "Type" was slected? There isn't a csutom one that we can file for a security profile group.
The PAN baseline config already has all the profiles and the group..
10-29-2018 11:10 AM
Yes, you have to create a custom group. You can select all the security policies (I stick to 500 at a time) and add the Security Group, and/or Logging Profile, HIP, QoS, Schedules, etc...
For example, here is one I use called "Alert_Only_Sec_Profile_Group", which groups 4 other profiles (Snippets) together.
***************profile-group*******************
<entry name="Alert_Only_Sec_Profile_Group">
<virus>
<member>Anitvirus_Alert_Only_Profile</member>
</virus>
<spyware>
<member>Anti-Spyware_Alert_Only_Profile</member>
</spyware>
<vulnerability>
<member>Vulnerability_AlertOnly_Profile</member>
</vulnerability>
<wildfire-analysis>
<member>Alert_Only_WildFire_Profile</member>
</wildfire-analysis>
</entry>
10-29-2018 11:11 AM
Yes you can. You need to create a group manually which includes your Security profiles. Then attach the group to your security profiles together in Expedition. Here is a group I use which takes the Security Profiles (snipetts) and groups them.
***************profile-group*******************
<entry name="Alert_Only_Sec_Profile_Group">
<virus>
<member>Anitvirus_Alert_Only_Profile</member>
</virus>
<spyware>
<member>Anti-Spyware_Alert_Only_Profile</member>
</spyware>
<vulnerability>
<member>Vulnerability_AlertOnly_Profile</member>
</vulnerability>
<wildfire-analysis>
<member>Alert_Only_WildFire_Profile</member>
</wildfire-analysis>
</entry>
10-29-2018 11:14 AM
Do you have to create a snippet of each of the profiles, in order to create the custom group? Am trying to avoid that and just create the group. Reason is, the baseline config already has all of the profiles, and I didn't want the tool to overwrite it. Thanks!
10-29-2018 11:35 AM
When you created the custom group, did you add it under Snippets? If so, what "Type" did you use? Did you leave it as default, All Types?
10-29-2018 11:51 AM
I guess you could create blank Snippets as long as the real thing is in the PAN/PANO.
10-31-2018 04:44 AM
Nope ! If you add an snippet "blank" the XML generation will probably fail !!. After you do the merge with your Base Config (add the profiles and groups there before import to Expedition for instance) then from the policies, right-click you will see an option called BULK CHANGES then select the profile group and select to ALL RULES 🙂
10-31-2018 04:51 AM
Thank you Albert for the tip.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
