- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-15-2021 11:06 PM
Dear all,
Can some one guide me on how I can import IP address in bulk to PA FW? These days I am getting a huge number of IPs and URLs which needs to be blocked on the Firewall end. For the URLs we can do the import. But how to do the same for IPs?
I tried the CLI method mentioned in this URL 'https://www.analysisman.com/2020/11/pan-import-csv.html'. But receiving the error "2021/12/16 10:22:49 error code 403: Forbidden - Returned for authentication or authorization errors including invalid key, insufficient admin access rights (keygen)".
Does this have any relation to the password I am using? Yes, its does contains alpha numeric and special characters.
Thanks in advance
12-16-2021 06:28 AM - edited 12-16-2021 06:29 AM
Hi @sabi4evr_com ,
You should be able to do that directly in CLI:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0
Example:
admin@PA-VM> configure
Entering configuration mode
admin@PA-VM# <here I copy/pasted my text file which I prepared in advance>
set address blah ip-netmask 10.0.0.1
set address blah2 ip-netmask 10.0.0.2
set address blah3 ip-netmask 10.0.0.3
set address blah4 ip-netmask 10.0.0.4
set address blah5 ip-netmask 10.0.0.5
set address blah6 ip-netmask 10.0.0.6
set address blah7 ip-netmask 10.0.0.7
set address blah8 ip-netmask 10.0.0.8
set address blah9 ip-netmask 10.0.0.9
admin@PA-VM# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
.....55%75%99%......100%
Configuration committed successfully
admin@PA-VM# show address
set address blah ip-netmask 10.0.0.1
set address blah2 ip-netmask 10.0.0.2
set address blah3 ip-netmask 10.0.0.3
set address blah4 ip-netmask 10.0.0.4
set address blah5 ip-netmask 10.0.0.5
set address blah6 ip-netmask 10.0.0.6
set address blah7 ip-netmask 10.0.0.7
set address blah8 ip-netmask 10.0.0.8
set address blah9 ip-netmask 10.0.0.9
[edit]
admin@PA-VM#
All the IP address objects were added:
Hope this helps,
-Kiwi.
12-16-2021 06:28 AM - edited 12-16-2021 06:29 AM
Hi @sabi4evr_com ,
You should be able to do that directly in CLI:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0
Example:
admin@PA-VM> configure
Entering configuration mode
admin@PA-VM# <here I copy/pasted my text file which I prepared in advance>
set address blah ip-netmask 10.0.0.1
set address blah2 ip-netmask 10.0.0.2
set address blah3 ip-netmask 10.0.0.3
set address blah4 ip-netmask 10.0.0.4
set address blah5 ip-netmask 10.0.0.5
set address blah6 ip-netmask 10.0.0.6
set address blah7 ip-netmask 10.0.0.7
set address blah8 ip-netmask 10.0.0.8
set address blah9 ip-netmask 10.0.0.9
admin@PA-VM# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
.....55%75%99%......100%
Configuration committed successfully
admin@PA-VM# show address
set address blah ip-netmask 10.0.0.1
set address blah2 ip-netmask 10.0.0.2
set address blah3 ip-netmask 10.0.0.3
set address blah4 ip-netmask 10.0.0.4
set address blah5 ip-netmask 10.0.0.5
set address blah6 ip-netmask 10.0.0.6
set address blah7 ip-netmask 10.0.0.7
set address blah8 ip-netmask 10.0.0.8
set address blah9 ip-netmask 10.0.0.9
[edit]
admin@PA-VM#
All the IP address objects were added:
Hope this helps,
-Kiwi.
12-20-2021 04:29 AM
Hi @kiwi
That looks cool. I will give it a try.
May I know if its possible we can add all these newly imported IPs to an address group?
ie; I already have a custom address group, where I have a list of IPs whom should be blocked.
So, how can we update the existing list by adding new IPs? Possible via CLI?
12-20-2021 06:39 AM
Hi @sabi4evr_com ,
Yes, that's possible.
Note however that you will have to create the address objects like I showed you in my previous comment. Once they are created, you can add them to a new (or existing) address group:
admin@PA-VM# set address-group MyCustomAddressGroup static blah
admin@PA-VM# set address-group MyCustomAddressGroup static blah2
admin@PA-VM# set address-group MyCustomAddressGroup static blah3
admin@PA-VM# set address-group MyCustomAddressGroup static blah4
admin@PA-VM# show address-group MyCustomAddressGroup
MyCustomAddressGroup {
static [ blah blah2 blah3 blah4];
}
Hope this helps,
-Kiwi.
12-21-2021 12:49 AM
Hi @kiwi
Thanks for guiding me.
I am slowly learning the methods. Yes, it does work and I am sure this can help me a lot. The new list I received is to block 250 IPs.
So, here is what I did. Copied the format to an excel and cloned the 250 rows and changed the IPs as required. Saved it as a .csv and pasted them in a notepad.
It was noticed that format was a little odd and I did some formatting to the notepad like adjusting white spaces. Tried with 1 line and it worked.
But when I tried multiple lines the CLI reported wrong formatting. But the formatting in notepad looks fine though.
The below was the syntax error.
admin@PA-3020# set address ADGOVCERT2021107-14
<name> <name>
<Enter> Finish input
admin@PA-3020# set address ADGOVCERT2021107-14ip-netmask 185.220.101.142/32
There was a missing 'space' between the 'description' and 'ip net mask'.
Is there any easy way to fix the formatting issue?
Other wise I have to copy and paste line by line, 250 lines in total.
12-22-2021 12:15 AM - edited 12-22-2021 12:16 AM
Hi @sabi4evr_com ,
For larger blocks of lines I'd recommend switching to scripting mode. In scripting mode, you can copy and paste commands from a text file directly into the CLI (more than 20 lines).
admin@PA-VM> set cli scripting-mode on
<paste your notepad lines here>
admin@PA-VM> set cli scripting-mode off
For more information:
Hope this helps,
-Kiwi.
12-25-2021 10:13 PM
Hi @kiwi
Thanks for helping out.
I got the idea now. Tried but didnt worked out the way it should.
But so far I am able to manage it far better than before, thanks to the solutions provided.
I have noticed that you are using PA VM for testing purpose.
I have only a production units here, so bit afraid to do experiments on the same.
How can I download such a VM? Does it needs a license?
Thanks
12-26-2021 08:01 AM
Hi,
You can try VM-50 lite for POC, demo, experiments.
01-04-2022 11:20 PM
Hi @Mudhireddy please share the download link or guide me how to download the same.
01-06-2022 08:27 AM
Hi Sabi,
Pls, check with your local account team to get more detail on it.
05-31-2022 02:59 PM - edited 05-31-2022 02:59 PM
Great info so far, but how would one do this if you have a Panorama device and I want the addresses added to the Shared instance so it gets pushed out to my different sites? I tried logging into the Panorama via SSH, but there were no commands for set address, or anything else related I could see.
05-31-2022 10:07 PM
I don't have any information on Panorama device. But @kiwi might be able to provide some information as always 🙂
06-01-2022 05:43 AM
You can download GNS3, watch some YouTube tutorials on how to set up PA, and use it as a testing environment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!