on 01-12-2023 07:07 AM - edited on 01-12-2023 07:15 AM by jforsythe
This Nominated Discussion Article is based on the post "Log Forwarding Profile in All Security Policies" by @Javith_Ali and answered by @BPry, @vsys_remo, @Raido_Rattameister, @SteveKrall and @kiwi. Read on to see the discussion and solution!
Is there any other way to configure Log forwarding profile in all 300+ security policies in single shot.
Currently there is no log forwarding profile in all 300+ policies.
First of all I'd like to point out that starting with PAN-OS 10.2 you can add Log Forwarding Profiles in bulk using the policy optimizer:
I'm sure this is a huge improvement for many users wanting to make these kind of bulk changes and aren't up for scripting or using different tools.
If you aren't on PAN-OS 10.2, you can look into the alternatives listed below.
You can export the XML and modify it manually. This is something you could script, but you would need to collect all of the security policy names to actually write that script.
In your case you need to get list of rules like mentioned above and go from there:
Changing Profiles Assigned to Security Rule
Another option would be to dump config in "set format" to see the actual CLI command.
I suggest adding the log forward option to at least 1 policy so you have a reference cli command. Then you can save this as a CSV file. Then sort the relevant data and delete everything else. Then add the missing syntax. Then convert the csv back to text and paste as CLI.
Alternatively you can use Expedition, formerly known as the Migration Tool. This is one of the best things about the tool - batch rule changes (Setting Security Profiles on all rules, Log Forwarding, etc).
Connect the FW (or Panorama) to the Migration Tool, ingest policies, multi-rule edit, then API push the rules back to Firewall > Validate policies > Commit.
Another option is the pan-configuration tool which will also allow you to make bulk changes:
https://github.com/cpainchaud/pan-configurator or the newer version https://github.com/PaloAltoNetworks/pan-os-php
Use the rules-edit.php function to update all your rules with the new log profile.
One more great automation article and I love automating security 🙂