Security Profile - Mass change - Is there an easy way?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security Profile - Mass change - Is there an easy way?

L3 Networker

I received a request to change the current security profile on 3,502 policies (spanning three VSYS) from a shared profile to a local profile. Is there a better way to do this than doing them individually through the GUI?

 

I don't even want to think about how long this would take if I have to do it through the GUI, not to mention the arthritis I'll have developed in my hand by the end of that.

 

Thanks.

1 accepted solution

Accepted Solutions

L3 Networker

I worked with TAC and found the best way (for me) to do this. I have written out the process below in case someone else may find it useful. Please keep in mind I utilize Panorama, so this is written for that. I can't speak to any differences there may be in syntax between Panorama and doing it directly on a firewall.

 

Thanks.

 

1. Log into the Panorama GUI and create a local security profile for the VSYS you are working on.

 

2. Log into the Panorama CLI.

 

3. Enter command: set cli config-output-format set

 

4. Enter command: configure

 

5. Now we need to identify each rule that is utilizing the old security profile (in this case we'll call it OldSecurityProfile) so we run this next command. Please keep in mind that in this example the device-group (or VSYS) we will be working on is called Firewall-123, so wherever you see that referenced will need to be changed to match your needs:
show device-group Firewall-123 post-rulebase security rules | match OldSecurityProfile

 

6. After running the previous command we found that the policy "Security Policy Name" is set to use the OldSecurityProfile security profile and we want to change that to the new “New_Security_Profile” security profile.
set device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group OldSecurityProfile

 

7. Now we delete the previous security profile in that rule and set the new security profile with the delete and set commands:
delete device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group OldSecurityProfile
set device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group New_Security_Profile

 

8. Now commit and push to the firewall.

View solution in original post

3 REPLIES 3

L0 Member

Have you considered installing Expedition (https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool), then connecting Panorama to Expedition. If you don't have Panorama, you could import config of firewalls as well.  You can then do a multi-edit on the policies and change the security profile and push back out to Pan. If you just imported the config into Expedition, you could also make the multi-edit changes in Expedition, export config and merge back into firewalls with the security profile change.

 

We recently used this approach for some migrations for zone, security profiles, and logging profiles. 

 

Good Luck.

That's a great suggestion, but I'm not sure the business side of things here would allow that. I can already hear their concerns going on in my head, but it is worth a shot.


Thanks!

L3 Networker

I worked with TAC and found the best way (for me) to do this. I have written out the process below in case someone else may find it useful. Please keep in mind I utilize Panorama, so this is written for that. I can't speak to any differences there may be in syntax between Panorama and doing it directly on a firewall.

 

Thanks.

 

1. Log into the Panorama GUI and create a local security profile for the VSYS you are working on.

 

2. Log into the Panorama CLI.

 

3. Enter command: set cli config-output-format set

 

4. Enter command: configure

 

5. Now we need to identify each rule that is utilizing the old security profile (in this case we'll call it OldSecurityProfile) so we run this next command. Please keep in mind that in this example the device-group (or VSYS) we will be working on is called Firewall-123, so wherever you see that referenced will need to be changed to match your needs:
show device-group Firewall-123 post-rulebase security rules | match OldSecurityProfile

 

6. After running the previous command we found that the policy "Security Policy Name" is set to use the OldSecurityProfile security profile and we want to change that to the new “New_Security_Profile” security profile.
set device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group OldSecurityProfile

 

7. Now we delete the previous security profile in that rule and set the new security profile with the delete and set commands:
delete device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group OldSecurityProfile
set device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group New_Security_Profile

 

8. Now commit and push to the firewall.

  • 1 accepted solution
  • 7710 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!