cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Log forwarding profile in all security policies

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Javith_Ali
L2 Linker
‎03-14-2018 09:20 AM
‎03-14-2018 09:20 AM

Log forwarding profile in all security policies

Is there any other way to configure Log forwarding profile in all 300+ security policies in single shot.

 

currently there is no log forwarding profile in all 300+ policies.

 

 

So below method is not applicable:

 

Not through web interface but you can export config out.

It is one single xml file.

 

Device > Setup > Operations > Export configuration version

Pick latest one from dropdown and click ok.

 

Then open this xml in your favourite text editor.

 

Find area between:

<rule base>

<security>

<rules>

and

</rules>

</security>

 

 

 Everywhere you see "</entry>" and log-setting config does not precede:

Then replace this with:

<log-setting>Log-Forwarding-Policy</log-setting>

</entry>

 

0 Likes
Reply

Accepted Solutions
vsys_remo
Cyber Elite
Cyber Elite
‎03-14-2018 03:09 PM
‎03-14-2018 03:09 PM

Other possibilities:

  • Script that first gets all existing rules and you then set the log forwarding profile with a foreach-loop in all existing rules
  • Issue the cli command "set cli config-output-format set", go into config mode, show the security rulebase and include match statement like source zone. This will show you a list with your rules which you can copy to a text editor to replace all source zone parts with "log-setting LOGFORWADRINGPROFILENAME". And finally paste all these commands into the cli and commit

@Javith_Ali it's now up to you which way to go...

View solution in original post

Reply

All Replies
BPry
Cyber Elite
Cyber Elite
‎03-14-2018 01:14 PM
‎03-14-2018 01:14 PM

@Javith_Ali,

Is there a specific reason why you can't export the XML and modify it manually? That would be a fairly logical conclussion for what you are looking to do, and would honestly take the least amount of time. This is something you could script, but you would need to collect all of the security policy names to actually write that script. 

0 Likes
Reply
vsys_remo
Cyber Elite
Cyber Elite
‎03-14-2018 03:09 PM
‎03-14-2018 03:09 PM

Other possibilities:

  • Script that first gets all existing rules and you then set the log forwarding profile with a foreach-loop in all existing rules
  • Issue the cli command "set cli config-output-format set", go into config mode, show the security rulebase and include match statement like source zone. This will show you a list with your rules which you can copy to a text editor to replace all source zone parts with "log-setting LOGFORWADRINGPROFILENAME". And finally paste all these commands into the cli and commit

@Javith_Ali it's now up to you which way to go...

View solution in original post

Reply
Raido
L7 Applicator
‎03-22-2018 11:29 AM
‎03-22-2018 11:29 AM

This link might give you some hints.

In your case you need to get list of rules like @vsys_remo menioned and go from there.

https://live.paloaltonetworks.com/t5/General-Topics/Changing-Profiles-assigned-to-security-Rule/m-p/...

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
0 Likes
Reply
SteveKrall
L1 Bithead
‎05-28-2018 11:55 AM
‎05-28-2018 11:55 AM

Another option would be to dump config in "set format" to see the actual cli command. I suggest adding the log forward option to at least 1 policy so you have a reference cli command. Then you can sve this as a csv file. Then sort the relevant data and delete everything else. Then add the missing syntax. Then convert the csv back to text and paste as cli. But PAN script mode gets flaky if you paste more than 50 lines at a time. I wish they would fix that. This is why they like to merge portions of the xml file because script mode is unreliable for large pastes.

 

 

0 Likes
Reply
cramman
L2 Linker
‎05-30-2018 09:07 AM
‎05-30-2018 09:07 AM

Haven't seen this answer yet so needed to reply..

 

Migration Tool!!!    (or Expedition as it's called now) 

 

This is one of the best things about the tool - batch rule changes.

 

Setting Security Profiles on all rules, Log Forwarding, etc

 

Connect the FW (or Panorama) to the Migration Tool, ingest policies, multi-rule edit, then API push the rules back to Firewall.

Validate policies.

 

Commit!

 

c

Reply
p768
L0 Member
‎06-19-2018 03:13 AM
‎06-19-2018 03:13 AM

the pan-c tool will also allow you to do this.

 

https://github.com/cpainchaud/pan-configurator

 

Use the rules-edit function to update all your rules with the new log profile.

 

0 Likes
Reply
CHammock
L2 Linker
‎03-08-2019 03:16 AM
‎03-08-2019 03:16 AM

FYI, if you name the profile "default" all new security rules will apply the profile automatically.  Same goes for security profile groups

Reply
ian_johnston
L0 Member
‎03-13-2019 11:52 AM
‎03-13-2019 11:52 AM

For big pastes to CLI, use a terminal emmulator, like Secure CRT, that allows you to add a 'pause' between lines. I've used a pause of 50ms to paste several hundred lines at a time.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks