Filter rules with no log forwarding profile configured

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Filter rules with no log forwarding profile configured

L4 Transporter

Anybody knows a trick how to filter for rules with no log forwarding profile configured?


(log-setting eq 'Profile-Name') => all rules with Profile-Name


!(log-setting eq 'Profile-Name') => does not work, shows all rules

(log-setting neq 'Profile-Name') => does not work, shows no rules

(log-setting eq none) => does not work, shows no rules




Hello Remo,


thank you very much for the detailed information. It is very helpful.

hi @vsys_remo


Sorry for the late reply

the xpath should fully work, but i dont think you can use 'not' operators (i can't get those to work anyway)

I'm not the penultimate expert either so I may be wrong 😉

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

@vsys_remo and @reaper


I tested this on panorama (7.1.10) and the 'not' operator worked as expected.


This is briliant, I was unaware of the ability to use filters in xpaths like this - I pull the entire config branch, and use a foreach loop and "if" statements to find the applicable entries for this and other instances.  Thank you for saving me a lot of future time.

Interesting! Would you mind sharing your full command (minus IP and Key) so I can document this properly?
Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

In today's example, I needed to add log-forwarding profiles and threat profile groups to rules that had been imported from the migration tool:



I declare a few variables

$panoramaIP =

$apiKey =

$deviceGroup =


I run two "get" calls to obtain the rules that are missing one or both items:


$noLog = invoke-restmethod -URI "https://$panoramaIP/api/?key=$apiKey&type=config&action=get&xpath=/config/devices/entry/device-group/entry[@name='$deviceGroup']/pre-rulebase/security/rules/entry[not(log-setting)]"


$noProfile = invoke-restmethod -URI "https://$panoramaIP/api/?key=$apiKey&type=config&action=get&xpath=/config/devices/entry/device-group/entry[@name='$deviceGroup']/pre-rulebase/security/rules/entry[not(profile-setting/group)]"


I dig a little deeper in my x-path to make future commands shorter


Then for each policy in the lists, i use set calls


for log forwarding:


invoke-restmethod -URI "https://$panoramaIP/api/?key=$apiKey&type=config&action=get&xpath=/config/devices/entry/device-group/entry[@name='$deviceGroup']/pre-rulebase/security/rules/entry[@name='$($']&element=<log-setting>Log-Forwarding-Profile</log-setting>"


for profile group:

invoke-restmethod -URI "https://$panoramaIP/api/?key=$apiKey&type=config&action=get&xpath=/config/devices/entry/device-group/entry[@name='$deviceGroup']/pre-rulebase/security/rules/entry[@name='$($']&element=<profile-setting><group><member>Profile_Group</member></group></profile-setting>"


obviously these are only snippits of a longer script.  I imagine with the approriate tweaks these xpaths and commands would work for a firewall.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!