Filter Policies by Target "Device-Tag" not possible with 9.1.x (Feature Request)

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Filter Policies by Target "Device-Tag" not possible with 9.1.x (Feature Request)

L1 Bithead

since we are changing policy targets from "device name" to "device tag" (device-Tag defined in Panorama > Summary), we still have the need to filter for special devices (device-tags) within the policy sets.

But what I have seen with 9.1.6, filtering policies list by device tag is not possible.


  • (target/devices/entry/@name eq '<device-tag>') - not possible
  • (tag/member eq '<device-tag>') - not possible

Also filtering for device serial number is not possible anymore within the policy set.

Is there any possiblity to filter for device tags within device-group > policies?
Is is strongly needed for daily business.

Best regards,


Community Team Member

Hi @henry.engel ,


Thank you for sharing ! As far as feature requests go, please check the following blog from not that long ago.  It explains the process of how to go about requesting new features:




LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Thank you Kiwi,

I know a feature request can be useful, but first I wanted to use the community to find an existing solution, if there exists one.
But it seems, not.

Sometimes I wonder, how features are designed and/or implemented within the WebGUI. 😃


L7 Applicator

Hi @henry.engel 

Filtering for a device (at least with the serial number) is possible with: 

  • target/devices/entry/@name eq '<serial>'

Actually these policy filter is a filtering in the xml configuration where the policy is stored. Because of that there are some limitations and thats why so far it is only possible to filter by a device serial number.

But to address your requirement I see the following possibilities:

  • Add actual tags to the policies which you only apply to specific devices. This task you can also automate with a script that checks the policies and adds tags with the same name as your device tags. After that you can filter the policies by these tags
  • Use a script that does this filtering by device tags (in the script you enter the tag you need and the script then checks which serial this is and searches for policies on this serial) and then shows the policies for example in a html file
  • The simplified version of a script where you enter the device tag, then the script checks which serial this is/which serials these are, creates the policy filter and adds this string to the clipboard. Then you can simply paste it in the webUI.

... the key for (almost) everything that is not yet possible in the webUI is the API  ; )

L1 Bithead

Hi @Remo 
Thank you for your hints regarding the filtering.

We know that scripting might be a solution, and your possibilites to solve it via script are also valid.

But not for all cases an analysis via script is beneficial.

For now I will accept, that there are DeviceTags, which do not allow full operational benefits in daily business when using them via WebGUI.
E.g. the power of the GlobalSearch in Panorama as well as PolicySet filtering is alomost gone when using DeviceTags with the need of filtering for specific targets, because filtering is not possible anymore. In a very lively policy set it makes it much more harder to analyse/find/adapt policies if this kind of filter is not present anymore.


Best regards,

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!