Automatically assign and/or quick method to multiple ( 500+ ) security policies the log forwarding profile.

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Automatically assign and/or quick method to multiple ( 500+ ) security policies the log forwarding profile.

L4 Transporter
Automatically assign and/or quick method to multiple ( 500+ ) security policies the log forwarding profile.
Dear, good afternoon.
Please help me to review the following:
I have some firewalls managed by Panorama, firewall that at Device Group level have approx more than 500 security policies, some even reaching 2000. How is it possible to configure the log forwarding profile in a fast and expeditious way in many policies at the same time.
This reviewing options and one of them is:
1.- Make an export of the Panorama config, which contains the device-group(s) with the security policies. Apply the log forwarding to at least one, then work with the .xml and replicate the log forwarding config in all the policies and then apply a Load Partial Config, to load only the security policy configuration of the device-group. From this option I have seen that some people have had problems with congruence in the config and/or other problems when using this method.
2.- Perform the Load named Panorama configuration snapshot and only select the Device Group(s), with the option of: Select Device Groups & Templates-Specify device groups, templates, or template stacks configurations to load. Device Group and Template Admins can only select the device groups, templates, or template stacks designated in their assigned access domain. I have doubts about this option, if I only load the device config, before editing the XML, won't it carry the rest of the template and/or device group and cause PANORAMA to only see and load the config of the selected Device Groups & Templates and this will cause the rest of the Device Groups and/or template configs to be lost?
3.- The other option is to configure a policy of the device group(s) with its Log Forwarding profile. Then enter through CLI, change the configuration output format to Set:
admin@PA-VM> set cli config-output-format set
admin@PA-VM> configure
And then do a show device-group Device-Group01 and see the set command output of the policies and see the one that already has the log forwarding and then apply that same command for all the rest of the policies, command that will already include the syntax that includes in the policy with the log forwarding profile. Then it is a matter of push and that's it.
You community what do you think about these possibilities, which would be the best option in terms of less impact, less complex but at the same time more effective and controlled. To those who have had to do something similar, what option have you done to achieve this goal.
Thank you very much as always for your support and collaboration.
I remain attentive
Best regards.
High Sticker
  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!