10-25-2019 11:38 AM - edited 10-25-2019 11:40 AM
I worked with TAC and found the best way (for me) to do this. I have written out the process below in case someone else may find it useful. Please keep in mind I utilize Panorama, so this is written for that. I can't speak to any differences there may be in syntax between Panorama and doing it directly on a firewall.
Thanks.
1. Log into the Panorama GUI and create a local security profile for the VSYS you are working on.
2. Log into the Panorama CLI.
3. Enter command: set cli config-output-format set
4. Enter command: configure
5. Now we need to identify each rule that is utilizing the old security profile (in this case we'll call it OldSecurityProfile) so we run this next command. Please keep in mind that in this example the device-group (or VSYS) we will be working on is called Firewall-123, so wherever you see that referenced will need to be changed to match your needs:
show device-group Firewall-123 post-rulebase security rules | match OldSecurityProfile
6. After running the previous command we found that the policy "Security Policy Name" is set to use the OldSecurityProfile security profile and we want to change that to the new “New_Security_Profile” security profile.
set device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group OldSecurityProfile
7. Now we delete the previous security profile in that rule and set the new security profile with the delete and set commands:
delete device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group OldSecurityProfile
set device-group Firewall-123 post-rulebase security rules "Security Policy Name" profile-setting group New_Security_Profile
8. Now commit and push to the firewall.
