How to Add Log Forwarding Profiles in All Security Policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member
100% helpful (2/2)

This Nominated Discussion Article is based on the post "Log Forwarding Profile in All Security Policies" by @Javith_Ali and answered by @BPry@Remo@Raido_Rattameister@SteveKrall and @kiwi. Read on to see the discussion and solution!

 

Is there any other way to configure Log forwarding profile in all 300+ security policies in single shot.

 

Currently there is no log forwarding profile in all 300+ policies.

 

First of all I'd like to point out that starting with PAN-OS 10.2 you can add Log Forwarding Profiles in bulk using the policy optimizer:

 

kiwi_0-1673511148017.png

 

I'm sure this is a huge improvement for many users wanting to make these kind of bulk changes and aren't up for scripting or using different tools.

 

If you aren't on PAN-OS 10.2, you can look into the alternatives listed below.

 

You can export the XML and modify it manually. This is something you could script, but you would need to collect all of the security policy names to actually write that script. 

 

Other possibilities:

  • Script that first gets all existing rules and you then set the log forwarding profile with a foreach-loop in all existing rules
  • Issue the cli command "set cli config-output-format set", go into config mode, show the security rulebase and include match statement like source zone. This will show you a list with your rules which you can copy to a text editor to replace all source zone parts with "log-setting LOGFORWADRINGPROFILENAME". And finally paste all these commands into the cli and commit

 

In your case you need to get list of rules like mentioned above and go from there:

Changing Profiles Assigned to Security Rule

 

Another option would be to dump config in "set format" to see the actual CLI command.

 

I suggest adding the log forward option to at least 1 policy so you have a reference cli command. Then you can save this as a CSV file. Then sort the relevant data and delete everything else. Then add the missing syntax. Then convert the csv back to text and paste as CLI.

 

Alternatively you can use Expedition, formerly known as the Migration Tool. This is one of the best things about the tool - batch rule changes (Setting Security Profiles on all rules, Log Forwarding, etc).

 

Connect the FW (or Panorama) to the Migration Tool, ingest policies, multi-rule edit, then API push the rules back to Firewall > Validate policies > Commit.

 

Another option is the pan-configuration tool which will also allow you to make bulk changes:

 

https://github.com/cpainchaud/pan-configurator or the newer version https://github.com/PaloAltoNetworks/pan-os-php

 

Use the rules-edit.php function to update all your rules with the new log profile.

 
Rate this article:
Comments
L6 Presenter

One more great automation article and I love automating security 🙂

  • 4216 Views
  • 1 comments
  • 4 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎01-12-2023 07:15 AM
Updated by: