Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PAN-OS 8.x Clone Policy default order

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-OS 8.x Clone Policy default order

L4 Transporter

Hi Community,

 

I noticed, that upgrading to 8.x changed the default behavior for cloning policies.

On PAN-OS 7.1 after cloning the policy, the default behavior was to move the new policy after the cloned one.

 

On PAN-OS 8.x the policy is moved to top by default and you have to choose rule to copy after manually.

That is quite annoying, when editing big policy-bases.

 

Can anyone confirm this behavior?

Is there a workaround?

 

Best Regards

Chacko

Best Regards
Chacko
1 accepted solution

Accepted Solutions

Hi @kiwi,

 

I'm sorry, you're right.

PAN-OS 8.0 is working as expected, it's PAN-OS 8.1.0 and 8.1.1 where the problem occurs.

 

I guess I will open a ticket.

 

Best Regards

Chacko

Best Regards
Chacko

View solution in original post

6 REPLIES 6

Community Team Member

Hi @Chacko42,

 

While the default setting might have changed, even in PAN-OS 8.0 and 8.1 you still have the option to choose where you place the rule(s) that you are cloning :

 

PAN-OS 8.0.x seems have 'Move Top' as default but you can easily change it with the drop down box :

 

Rule cloning optionsRule cloning optionsPAN-OS 8.1.x :

 

2018-05-22_14-33-36.jpg

 

Cheers !

-Kiwi.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi,

 

of course you can do that, but the update "downgraded" the efficiency for editing policies.

Imaging, you have a policy-base with 1000 policies and you want to clone rule #334 and move it to position #335.

 

Then you need to select the dropdown item and scroll down 300 items - that's quite annyoing, by knowing, that this wasn't an issue with PAN-OS 7.x

Best Regards
Chacko

Community Team Member

Hi @Chacko42,

 

I only see the "downgraded" behaviour in PAN-OS 8.1 ... not on 8.0.

For me, in PAN-OS 8.0.x it's still working as before with the rule being cloned just after the one you're cloning (tested on a PA-200 running PAN-OS8.0.7).

 

If that's the case then you might want to check with TAC if this is expected behaviour in PAN-OS 8.1.x

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi,

 

I'm sorry, you're right.

PAN-OS 8.0 is working as expected, it's PAN-OS 8.1.0 and 8.1.1 where the problem occurs.

 

I guess I will open a ticket.

 

Best Regards

Chacko

Best Regards
Chacko

L1 Bithead

Hi,

 

So the case was opened with us (TAC) and I checked in my VM running 8.1.0.

Apparently no one seems to have noticed that you can type in the dropdown menu, so there is no need to scroll down 300 or 500 policies as was mentioned previously. Just type the name of the policy where the cloned policy should be placed after or before and the dropdown list will be filtered accordingly and only display the policies matching the input.

Hi @bhageloh,

 

okay, thanks for the input - that is a good workaround until the issue is patched..

But I think, in comparison to 8.0, you need to click more (greater administrative effort) to reach the same thing.

Besides, I guess cloning a policy directly after the selected rule is the default for 90% of the use-cases and moving a policy to top is more an exception from that.

So why make it complicated and change the behavior from 8.0 to 8.1? Looks like a bug to me.

 

Best Regards

Chacko

Best Regards
Chacko
  • 1 accepted solution
  • 3810 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!