Panorama: why can't we edit Application settings in Device Groups?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama: why can't we edit Application settings in Device Groups?

L4 Transporter

Specifically, why can't we disable the SIP ALG in Panorama, in order to push that out to the firewalls?  Even more specifically, why isn't that option available in the Panorama GUI?

 

It's a real pain having to manually change that on each individual firewall, and commit the change locally, instead of setting it once in a Device Group and having it inherited by all the firewalls.

 

Panorama 8.1.9-h4 and PanOS 8.1.12 on the firewalls.

1 accepted solution

Accepted Solutions

Community Team Member

Hi @fjwcash ,

 

Good catch ... I haven't noticed that before.

I found that there's already a feature request for it.

 

Please reach out to your local SE and have him add your vote.

FR ID: 4081

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

5 REPLIES 5

Community Team Member

Hi @fjwcash ,

 

Good catch ... I haven't noticed that before.

I found that there's already a feature request for it.

 

Please reach out to your local SE and have him add your vote.

FR ID: 4081

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks!  I've reached out to cast our vote.  Let's see what comes of it.  😄

L0 Member

Oh boy. I'm in need of disabling it on all firewalls this exact moment and just realized you can't do it from Panorama. Why is this even a feature request and not an automatic bug that needed fixing last year?

L0 Member

I would like to add, how can this be done in a Prisma environment where Panorama cannot modify it, nor do you have access to the firewalls to see / modify it?

L5 Sessionator

Is this a CLI-only command to disable SIP-ALG? May I introduce you to Palo's newest automation tool, SLI? Basically you would input a list of your NGFW MGT IPs (or pull them from PRA, see option 2), add username/password to the file, and then a different file would have a list of the CLI commands you wish to run and the tool will sequentially create the SSH access to each device outputting errors/success messages into a file for review after. 

 

Indeed, it's a feature request to get into panorama for now, but I requested our automation team build this workaround for the time being as I had a customer that needed something similar. 

 

SLI Development Branch

This is useful for commands for example, mass_ssh and mass_ssh_from_panorama.

 

mass_ssh asynchronous executes an inputted script file against multiple firewalls. These firewalls are either given as a list of IP addresses on the command line or given in a YAML inventory file. You can run the sli mass_ssh --help command to see examples of both the inputted script file and the YAML inventory file. 

 

mass_ssh_from_panorama does the same thing except it gathers the NGFW list from a Panorama device. SLI will grab a list of all connected devices for a given Panorama device and then will optionally filter based on an inputted dictionary of key values. You can run the sli mass_ssh_from_panorama --help command to see examples of the input script file and the NGFW filter dictionary. 

 

  • python3 -m venv venv 
  • source ./venv/bin/activate
  • git checkout -b develop origin/develop
  • pip install -e 

 

Then create your template files, look at examples by typing mass_ssh_from_panorama --help. Hope this makes your life a little easier!

 

Help the community! Add tags and mark solutions please.
  • 1 accepted solution
  • 6799 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!