05-12-2017 10:03 AM
In our environment we use tags on individual IP addresses for a few different things and then have policies in place to take those actions based on those tags.
Sometimes we have requests come in with a lot of indivudla IP addresses that we have to add and tag in multiple VSYS's. This is tedious and time consuming because the only way I know how to do it is manually, one at a time, adding each address and tagging it.
Is it possible to add multiple IP addresses and tag them at one time? I wouldn't mind doing it in individual VSYS's if needed.
Thanks.
05-12-2017 10:19 AM - edited 05-12-2017 10:19 AM
You can use the CLI to add addresses and set a tag on them. You still have to create the script but can paste them all at once.
set vsys vsys2 address rf tag test fqdn rf.myco.local
set vsys vsys3 address rf1 tag test1 fqdn rf1.myco.local
05-12-2017 10:38 AM
I'm looking for exactly something like that, but that command doesn't work for me...
In order to hop into the right vsys I have to use this command:
set system setting target-vsys vsys2
From there I don't see anything similar to what you have.
What version of of PanOS are you running?
05-12-2017 11:02 AM
I'm on 7.1.6 but it looks like you aren't in config mode.
I prefer the set based CLI so the first command I run is:
set cli config-output-format set
Then type 'configure' to get to config mode, which is shown by the # symbol after the hostname.
user@firewall#
Then you can paste the config.
05-12-2017 11:36 AM
I only have the following commands available in configure mode:
check
edit
exit
find
quit
run
show
top
up
05-12-2017 12:11 PM
It looks like your account permissions in the CLI have been restricted. Admin roles can have different permissions for GUI and CLI.
Does your login account have a specific profile attached to it?
05-12-2017 12:32 PM
This was tried on a fully privileged account. I wonder if maybe that is just not available in PanOS 7.0.x
05-12-2017 12:44 PM
The listed options that you have would not be consistent with a fully privileged account on any version of the os. The 'set' command has been around since the beginning and without it you aren't going to be able to do any of this in the CLI as it appears your CLI is restricted. You may be allowed to change everything you want in the GUI, but it appears CLI is most definitely limited.
05-12-2017 12:48 PM
Thanks for that, there may be something else at play.
As a separate question, would a PA-200 have this functionality?
Thanks.
05-12-2017 12:59 PM - edited 05-12-2017 01:02 PM
I just created a user with the devicereader CLI permissions and I see the exact options you do in config mode.
Yes, the set commands work on any hardware version.
05-12-2017 01:02 PM
When I test in my PA-200 as the admin account I don't see these commands either. Also running 7.0.x ... Interestingly weird.
05-12-2017 01:07 PM
Is the admin account Dynamic or Role Based?
05-12-2017 01:24 PM
I'm not sure what that means.. It is the default admin account and even still has the default admin/admin password.
05-12-2017 02:04 PM
On the admin account, there is a section for 'Administrator Type'. The choices are Dynamic or Role Based.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
