Exporting all the rules and sub rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Exporting all the rules and sub rules

L0 Member

I have been tasked with exporting all the rules from our Palo Altos for monthly review purposes.

 

Panorama has shared rules as well as rules in each device group. Our firewalls have rules on them as well.

 

  • Support suggests using the PDF/CSV option on the shared rules. We have 10+ shared and sub device groups, and 20+ PA220s.  Obviously this will work and will be a fantastic mess of CSV files but it will be good data. Tedious and mistake prone. 
  • I have looked into the API approach https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNutCAG . I have a feeling this may be outdated with version 10 software. 
  • I have tried to convert the XML backup files using a powershell script I found here which worked but then I was informed we need to include the NAT rules as well
2 REPLIES 2

Community Team Member

Hi @AWongCA ,

 

thanks for sharing! sorting through csv files can be tedious. You should be able to use XML API.

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L0 Member

Just to provide an update - support concluded the best way to export this information would be to manually export the security and NAT rules as CSV from every firewall GUI rather than going through Panorama. 

Logic being the firewall has the final set of all the rules including device specific rules so that will be the most "clean"

 

Going through API - they were able to confirm the browser shouldn't output anything useful and one needs to go through Excel to potentially import the data.  Since our setup has a self-signed certificate that Excel does not allow bypassing it seems like a dead end there. 

 

Also if you have any scripts or converters please share.  I keep running into the post that says do a search you will find 4 or 5 and I can tell you it looks like the converter written in Python for PAN-OS 7 doesn't work with OS 10 configs.  There is another Python one that seems to only work with device configs.   

  • 1512 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!