Delete objects from many policies

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Delete objects from many policies

L2 Linker

Hi, 

 

Currently, an object which has been configured for 130+ policies. What's the best way to remove it. 

 

Easy for object groups but how can to deal with this kind of situation with an easy solution?

 

Thank you.

1 accepted solution

Accepted Solutions

I am still confused to be honest.

 

I get that the object is part of a group.. if you delete it from the group.. then it is no longer part of the group.

You would then simply to the (presuming) address object, within the Object tab, and delete the object.

Wouldn't that delete the object in all policies?

 

If you believe that the object was not created as an address object (or similar) but manually defined in your policies (again... you can add any object, predefined, prior to using the object, or enter an IP on the fly, within the config)

 

 

There are only 2 suggestions that can be recommended here.

 

Export the Panorama config.  Do a search/delete of those elements/objects you do not want.  Import back into Panorama.

From CLI, go into config mode. 

Enter "run set cli config-output-format set"

This will let you see the config in "set" notation.

From here, do a "show | match (object name)" command, which will show you all lines in the config, where (object name) is being used.

 

If you export those lines, you could then copy/paste into a document, change the "set (object name)", into a "delete (object name)", and then copy/paste those lines back into the Panorama.

 

Personally, the first way, where you are just removing the elements from the xml may be a safer bet, if you are comfortable with the CLI.

As long as the object is not part of the FW local config, you should be OK with modifying the xml.

 

 

Good luck! 

 

Help the community: Like helpful comments and mark solutions

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello there

 

Are you using Panorama or a single FW with 130+ policies?

 

Not to state the obvious, but if you delete the object, it would delete from all the policies.

Is this not working?

 

I think we need additional details of what you are attempting to accomplish.

Please include screen capture of object(s) in question, and an example policy of what needs to be deleted.

 

Help the community: Like helpful comments and mark solutions

L3 Networker

Hello,

 

You could always export the config and delete the references from the xml.

 

- DM

Sr. Technical Support Engineer, Strata

Hi SteveCantwell,

 

Thanks for the reply. 

 

Sorry, my writing is a bit confusing and I should mention in my post i.e. - the device is managed by Panorama. 

 

Yes, you are right if I delete an object from the group, It will delete from the 130+ policies and that is what I want because an object is not required any more due to server decom. 

 

Currently, the object which I want to delete is configured in both - group and policies. To delete an object from the group is easy but to delete an object from 130+ policies is a bit time-consuming. Because I need to manually go to all 130+ policies and delete the object.

 

I am looking for the ways - To NOT go to manually 130+ policies -> find the object that I want to delete and complete the job. 

 

 As @Dmifsud mentioned, export xml config is one way but since it is managed by panorama I am not sure how it would work.

 

Thank you once again for the response. 

Does anyone have any ideas/solutions about my previous post?

 

Thank you.

I am still confused to be honest.

 

I get that the object is part of a group.. if you delete it from the group.. then it is no longer part of the group.

You would then simply to the (presuming) address object, within the Object tab, and delete the object.

Wouldn't that delete the object in all policies?

 

If you believe that the object was not created as an address object (or similar) but manually defined in your policies (again... you can add any object, predefined, prior to using the object, or enter an IP on the fly, within the config)

 

 

There are only 2 suggestions that can be recommended here.

 

Export the Panorama config.  Do a search/delete of those elements/objects you do not want.  Import back into Panorama.

From CLI, go into config mode. 

Enter "run set cli config-output-format set"

This will let you see the config in "set" notation.

From here, do a "show | match (object name)" command, which will show you all lines in the config, where (object name) is being used.

 

If you export those lines, you could then copy/paste into a document, change the "set (object name)", into a "delete (object name)", and then copy/paste those lines back into the Panorama.

 

Personally, the first way, where you are just removing the elements from the xml may be a safer bet, if you are comfortable with the CLI.

As long as the object is not part of the FW local config, you should be OK with modifying the xml.

 

 

Good luck! 

 

Help the community: Like helpful comments and mark solutions

Thanks, SteveCantwell.

 

I have managed to complete the task through cli using PAN01> set cli config-output-format set.

 

I did very similarly what you mentioned (show | match "object that I want to delete" -> copy output into the text (I used visual studio code to adjust the object that I want -> removed set and added delete in the text -> copied it -> paste into the panorama -> went to the GUI -> previewed the changes -> committed 🙂 

 

I used one more cmd - "run set cli scripting-mode on" to avoid any copy and paste errors

 

I will try with xml when I get a chance. 

 

Thank you for your time and support. 

 

 

  • 1 accepted solution
  • 8070 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!