PAN CLI: Verifying Service Object Existence and Adding New Service Objects

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN CLI: Verifying Service Object Existence and Adding New Service Objects

L3 Networker

I am starting to do more work via the CLI such as security rules. How can I check if a service object already exists using the CLI? And if it does not exist how do I add the service object to I can use it in my security rule?


If I try to add a service object and the name already exists will the PAN warn me and not all that to be input?

What if the protocol and port are already represented by another service object name?


Thank you.


L4 Transporter

so I'll indirectly answer this question and hopefully this will rock your world.


# show

will display the candidate configuration, but by default, it's in XML format. so _outside_ of configure mode (for some reason), run the following command:


set cli config-output-format set

that will set the show output to set commands. now when you run show in configure mode, you will see each entry in a clear, easy to use CLI syntax. You can actually use the service parameter to see just the services.


admin@PA-220# show service
set service service-https-mgmt protocol tcp port 4443
set service service-ssh protocol tcp port 22
set service service-plex protocol tcp port 32400

not only does this show you all the custom services (note the predefined service-http and service-https are not displayed), but it gives you the exact syntax to add additional ones via the CLI. If you have a lot of services, you can also supplement the command with | match <filter> at the end so it shows only matching service objects.


admin@PA-220# show service | match "tcp port 22"
set service service-ssh protocol tcp port 22

so to answer your questions, if you create a service object with the same name as an existing one, it will let you and just overwrite the existing object's values. if you create a new service object with a different name but the same protocol/port, it also well let you.


my sage advice is to keep it simple and develop an administrative policy so that service objects are simply named for their protocol/port, such as tcp_22. using app names like I have before helps read better, but unless I also plan to have a service-sftp object, I'm just going to create a lot of unncessary 'duplicate' objects.

CCNA Security, PCNSE7

Simple way to check service-groups or services


type configure

show service-group (name of the group)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!