This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Exporting all the rules and sub rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Exporting all the rules and sub rules

AWongCA
L0 Member

‎12-27-2022 03:38 PM

I have been tasked with exporting all the rules from our Palo Altos for monthly review purposes.

 

Panorama has shared rules as well as rules in each device group. Our firewalls have rules on them as well.

 

  • Support suggests using the PDF/CSV option on the shared rules. We have 10+ shared and sub device groups, and 20+ PA220s.  Obviously this will work and will be a fantastic mess of CSV files but it will be good data. Tedious and mistake prone. 
  • I have looked into the API approach https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNutCAG . I have a feeling this may be outdated with version 10 software. 
  • I have tried to convert the XML backup files using a powershell script I found here which worked but then I was informed we need to include the NAT rules as well
0 Likes Likes
2 REPLIES 2

JayGolf
Community Team Member

‎12-27-2022 07:37 PM

Hi @AWongCA ,

 

thanks for sharing! sorting through csv files can be tedious. You should be able to use XML API.

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

AWongCA
L0 Member

‎01-03-2023 10:09 AM - edited ‎01-03-2023 12:33 PM

Just to provide an update - support concluded the best way to export this information would be to manually export the security and NAT rules as CSV from every firewall GUI rather than going through Panorama. 

Logic being the firewall has the final set of all the rules including device specific rules so that will be the most "clean"

 

Going through API - they were able to confirm the browser shouldn't output anything useful and one needs to go through Excel to potentially import the data.  Since our setup has a self-signed certificate that Excel does not allow bypassing it seems like a dead end there. 

 

Also if you have any scripts or converters please share.  I keep running into the post that says do a search you will find 4 or 5 and I can tell you it looks like the converter written in Python for PAN-OS 7 doesn't work with OS 10 configs.  There is another Python one that seems to only work with device configs.   

  • 4552 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks