11-26-2018 03:17 PM
I found a KB but it's from 2016 and is no longer applicable.
I want to enable 'log at session start' on thousands of existing Security Pre-Rules across several Device Groups. I remember a multi-edit function but something's changed and I can't figure out how to do this. We're running Pano 8.0.8 and 7.1.8 on the firewalls.
11-26-2018 03:57 PM
First thing - you should really upgrade both code versions you're running.
7.1.8 was released in February of 2017, you're almost 2 years out of date. 8.0.8 was released in February of 2018, so it's better but still risky to run.
Both versions have critical and high risk security vulnerabilities:
Critical:
PAN-SA-2017-0027 (fixed in 7.1.13+)
High:
PAN-SA-2018-0008 (fixed in 7.1.16+, 8.0.9+)
PAN-SA-2017-0028 (fixed in 7.1.13+)
PAN-SA-2017-0025 (fixed in 7.1.12+)
That said, the simplest way would be to use the Expedition Migration Tool. It's not supported by Palo Alto Networks support, but the community is very active and your account team may be able to assist as well. Some more complex but stand-alone methods would be to export your running config and modify the device groups in question. You could also script it and use the API to update each of the rules.
11-26-2018 04:00 PM
Yep, understood and agreed on the outdated versions we're on. Politics slowing progress, unfortunately.
Anyway, thanks for the feedback. We're meeting with PA this week so I'll talk to them about Expedition.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
