Nominated Discussion: Script That Returns the Differences in Policies Across Firewalls

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "What do you people's think of this script?" by @hfakoor2 


I wrote a Python script that returns the differences in policies across firwealls. Here's the github description:


Firewall policies contain object groups, hundreds of ip addresses and ACL's, services, address objects etc. This script compares a set of firewall policies with the same name, across many firewalls, and return differences in services, source/destination, address objects, ACL's etc, to a Python dictionary. We use a XML path api call to obtain the configuration files, so no need for token authentication. The script also returns object groups that exist in one firewall and not the other. So if your firewalls have similar named policies with dozens of rules, this script can save time in validating the policies by hand.


There's  video of the code running against 10.0.4 vm_eval editions.


the code is under folder compare_Object_ACL's


Please let me know what you think, and where I can improve on.


Also like or follow my github page for more scripts



That is a very nice script!


If someone were going to use your script in production, then I would store the username and password (or API keys) in local environment variables and not the script.  That is not required, but definitely a best practice especially if they use Git or another development platform where the code is shared.  Your scripts have the default usernames and passwords.  So, no sensitive information is exposed in your example.


Great job!


Rate this article:
L2 Linker



If anyone is intersted in liking or following my GitHun page,


that would help me a lot especially since I'm switching job fields, it would help me as I'm marketing my scripts to employers 🙂


Also if anyone has any suggestions of scripts they would like to see me write that would help people, I could write it and share it here.


my github:


another automation script I wrote:



I have something else I'm working on which will be uploaded this week. Batch updates networking devices with configurations. Compares connectivity before and after the updates. For example before the updates pings, traceroutes, https, ssh (I'm still thinking of other features to add) is run as a diagnostic on the network. After the config changes these diagnostics are compared afterwards on a device level, and on a network level. The user can press a button to rollback changes they like on certain devices. It's a CLI based app, I may add an overlay feature by using curses library.




Thanks for the support!



Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎10-19-2023 09:21 AM
Updated by: