How to import Address Objects in CSV to PA Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How to import Address Objects in CSV to PA Firewall

L2 Linker

Dear all,

 

Can some one guide me on how I can import IP address in bulk to PA FW? These days I am getting a huge number of IPs and URLs which needs to be blocked on the Firewall end. For the URLs we can do the import. But how to do the same for IPs?

 

I tried the CLI method mentioned in this URL 'https://www.analysisman.com/2020/11/pan-import-csv.html'. But receiving the error "2021/12/16 10:22:49 error code 403: Forbidden - Returned for authentication or authorization errors including invalid key, insufficient admin access rights (keygen)".

Does this have any relation to the password I am using? Yes, its does contains alpha numeric and special characters.

 

Thanks in advance

 

1 accepted solution

Accepted Solutions

Community Team Member

Hi @sabi4evr_com ,

 

You should be able to do that directly in CLI:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0

 

Example:

 

 

admin@PA-VM> configure 
Entering configuration mode
admin@PA-VM# <here I copy/pasted my text file which I prepared in advance>
set address blah ip-netmask 10.0.0.1
set address blah2 ip-netmask 10.0.0.2
set address blah3 ip-netmask 10.0.0.3 
set address blah4 ip-netmask 10.0.0.4 
set address blah5 ip-netmask 10.0.0.5 
set address blah6 ip-netmask 10.0.0.6 
set address blah7 ip-netmask 10.0.0.7 
set address blah8 ip-netmask 10.0.0.8 
set address blah9 ip-netmask 10.0.0.9 
admin@PA-VM# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
.....55%75%99%......100%
Configuration committed successfully

admin@PA-VM# show address
set address blah ip-netmask 10.0.0.1
set address blah2 ip-netmask 10.0.0.2
set address blah3 ip-netmask 10.0.0.3
set address blah4 ip-netmask 10.0.0.4
set address blah5 ip-netmask 10.0.0.5
set address blah6 ip-netmask 10.0.0.6
set address blah7 ip-netmask 10.0.0.7
set address blah8 ip-netmask 10.0.0.8
set address blah9 ip-netmask 10.0.0.9
[edit]                                                                          
admin@PA-VM# 

 

 

All the IP address objects were added:

 

kiwi_0-1639664788565.png

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

12 REPLIES 12

Community Team Member

Hi @sabi4evr_com ,

 

You should be able to do that directly in CLI:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHNCA0

 

Example:

 

 

admin@PA-VM> configure 
Entering configuration mode
admin@PA-VM# <here I copy/pasted my text file which I prepared in advance>
set address blah ip-netmask 10.0.0.1
set address blah2 ip-netmask 10.0.0.2
set address blah3 ip-netmask 10.0.0.3 
set address blah4 ip-netmask 10.0.0.4 
set address blah5 ip-netmask 10.0.0.5 
set address blah6 ip-netmask 10.0.0.6 
set address blah7 ip-netmask 10.0.0.7 
set address blah8 ip-netmask 10.0.0.8 
set address blah9 ip-netmask 10.0.0.9 
admin@PA-VM# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
.....55%75%99%......100%
Configuration committed successfully

admin@PA-VM# show address
set address blah ip-netmask 10.0.0.1
set address blah2 ip-netmask 10.0.0.2
set address blah3 ip-netmask 10.0.0.3
set address blah4 ip-netmask 10.0.0.4
set address blah5 ip-netmask 10.0.0.5
set address blah6 ip-netmask 10.0.0.6
set address blah7 ip-netmask 10.0.0.7
set address blah8 ip-netmask 10.0.0.8
set address blah9 ip-netmask 10.0.0.9
[edit]                                                                          
admin@PA-VM# 

 

 

All the IP address objects were added:

 

kiwi_0-1639664788565.png

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L2 Linker

Hi @kiwi 

That looks cool. I will give it a try.

May I know if its possible we can add all these newly imported IPs to an address group?

ie; I already have a custom address group, where I have a list of IPs whom should be blocked.

So, how can we update the existing list by adding new IPs? Possible via CLI? 

Community Team Member

Hi @sabi4evr_com ,

 

Yes, that's possible. 

Note however that you will have to create the address objects like I showed you in my previous comment.  Once they are created, you can add them to a new (or existing) address group:

 

admin@PA-VM# set address-group MyCustomAddressGroup static blah                                                                                                                    
admin@PA-VM# set address-group MyCustomAddressGroup static blah2                                                                                                                             
admin@PA-VM# set address-group MyCustomAddressGroup static blah3                                                                                                                            
admin@PA-VM# set address-group MyCustomAddressGroup static blah4

admin@PA-VM# show address-group MyCustomAddressGroup 
MyCustomAddressGroup {
  static [ blah blah2 blah3 blah4];
}

 

Hope this helps,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L2 Linker

Hi @kiwi 

 

Thanks for guiding me.

 

I am slowly learning the methods. Yes, it does work and I am sure this can help me a lot. The new list I received is to block 250 IPs. 

So, here is what I did. Copied the format to an excel and cloned the 250 rows and changed the IPs as required. Saved it as a .csv and pasted them in a notepad.

 

It was noticed that format was a little odd and I did some formatting to the notepad like adjusting white spaces. Tried with 1 line and it worked.

 

But when I tried multiple lines the CLI reported wrong formatting. But the formatting in notepad looks fine though.

 

The below was the syntax error.

 

admin@PA-3020# set address ADGOVCERT2021107-14
<name> <name>
<Enter> Finish input

admin@PA-3020# set address ADGOVCERT2021107-14ip-netmask 185.220.101.142/32

 

There was a missing 'space' between the 'description' and 'ip net mask'.

 

Is there any easy way to fix the formatting issue?

 

Other wise I have to copy and paste line by line, 250 lines in total.

Community Team Member

Hi @sabi4evr_com ,

 

For larger blocks of lines I'd recommend switching to scripting mode.  In scripting mode, you can copy and paste commands from a text file directly into the CLI (more than 20 lines).

 

 

admin@PA-VM> set cli scripting-mode on

<paste your notepad lines here>

admin@PA-VM> set cli scripting-mode off

 

 

For more information:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start/get-started-with-the-cli/custom...

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L2 Linker

Hi @kiwi 

Thanks for helping out.

I got the idea now. Tried but didnt worked out the way it should.

 

But so far I am able to manage it far better than before, thanks to the solutions provided.

 

I have noticed that you are using PA VM for testing purpose.

I have only a production units here, so bit afraid to do experiments on the same.

 

How can I download such a VM? Does it needs a license?

 

Thanks

 

Hi,

You can try VM-50 lite for POC, demo, experiments.

Best Regards,
Suresh

Hi @Mudhireddy please share the download link or guide me how to download the same.

Hi Sabi,

 

Pls, check with your local account team to get more detail on it.

Best Regards,
Suresh

L0 Member

Great info so far, but how would one do this if you have a Panorama device and I want the addresses added to the Shared instance so it gets pushed out to my different sites?  I tried logging into the Panorama via SSH, but there were no commands for set address, or anything else related I could see.

L0 Member

I don't have any information on Panorama device. But @kiwi might be able to provide some information as always 🙂

You can download GNS3, watch some YouTube tutorials on how to set up PA, and use it as a testing environment.

Simplicity is the friend of Security, whilst complexity is the Enemy. (Bruce Schneier) PCNSE,CCSA, SEC-Plus, CCNA Security
  • 1 accepted solution
  • 30600 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!