Filter rules with no log forwarding profile configured

Anon1 · ‎04-12-2018

Anybody knows a trick how to filter for rules with no log forwarding profile configured?

(log-setting eq 'Profile-Name') => all rules with Profile-Name

!(log-setting eq 'Profile-Name') => does not work, shows all rules

(log-setting neq 'Profile-Name') => does not work, shows no rules

(log-setting eq none) => does not work, shows no rules

Anon1 · ‎04-17-2018

Hello Remo,

thank you very much for the detailed information. It is very helpful.

reaper · ‎04-17-2018

hi @vsys_remo

Sorry for the late reply

the xpath should fully work, but i dont think you can use 'not' operators (i can't get those to work anyway)

I'm not the penultimate expert either so I may be wrong 😉

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

JoeAndreini · ‎04-18-2018

@vsys_remo and @reaper

I tested this on panorama (7.1.10) and the 'not' operator worked as expected.

This is briliant, I was unaware of the ability to use filters in xpaths like this - I pull the entire config branch, and use a foreach loop and "if" statements to find the applicable entries for this and other instances. Thank you for saving me a lot of future time.

reaper · ‎04-18-2018

Interesting! Would you mind sharing your full command (minus IP and Key) so I can document this properly?

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

JoeAndreini · ‎04-18-2018

In today's example, I needed to add log-forwarding profiles and threat profile groups to rules that had been imported from the migration tool:

Powershell:

I declare a few variables

$panoramaIP =

$apiKey =

$deviceGroup =

I run two "get" calls to obtain the rules that are missing one or both items:

$noLog = invoke-restmethod -URI "https://$panoramaIP/api/?key=$apiKey&type=config&action=get&xpath=/config/devices/entry/device-group/entry[@name='$deviceGroup']/pre-rulebase/security/rules/entry[not(log-setting)]"

$noProfile = invoke-restmethod -URI "https://$panoramaIP/api/?key=$apiKey&type=config&action=get&xpath=/config/devices/entry/device-group/entry[@name='$deviceGroup']/pre-rulebase/security/rules/entry[not(profile-setting/group)]"

I dig a little deeper in my x-path to make future commands shorter

Then for each policy in the lists, i use set calls

for log forwarding:

invoke-restmethod -URI "https://$panoramaIP/api/?key=$apiKey&type=config&action=get&xpath=/config/devices/entry/device-group/entry[@name='$deviceGroup']/pre-rulebase/security/rules/entry[@name='$($policy.name)']&element=<log-setting>Log-Forwarding-Profile</log-setting>"

for profile group:

invoke-restmethod -URI "https://$panoramaIP/api/?key=$apiKey&type=config&action=get&xpath=/config/devices/entry/device-group/entry[@name='$deviceGroup']/pre-rulebase/security/rules/entry[@name='$($policy.name)']&element=<profile-setting><group><member>Profile_Group</member></group></profile-setting>"

obviously these are only snippits of a longer script. I imagine with the approriate tweaks these xpaths and commands would work for a firewall.

Filter rules with no log forwarding profile configured

Filter rules with no log forwarding profile configured

Show your appreciation!