Saucepan

User Tools

Site Tools

Trace: restart_panos unlock_accounts sidewinder import_firewall_into_panorama minemeld job_information global_protect azure certificates pan_configurator
paloaltonetworks:tools:pan_configurator

This is an old revision of the document!

PAN Configurator

In these examples, '10.1.1.1' is a Panorama appliance.

Set all security policies to have 'default' as the log forwarding profile. 

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=logSetting-set:default

Set all security policies to have 'default' as the security profile group. 

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:default

Set security policies to have 'SPG_Outbound' as the security profile group. Only set it on policies that have the tag 'outbound'. 

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:SPG_Outbound 'filter=(tag has outbound)'

Remove security profiles and security profile groups from all rules that have the action set to deny. 

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Remove 'filter=(action is.deny)'

Set all rules that deny traffic to have no security profile group 

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DeviceGroupName actions=securityProfile-Remove 'filter=(action is.deny)'

Set security policies to be targeted to a specific serial number 

011122211122

. Only set it on policies that are targeted on firewall serial number 

099887766554

. This is usefull when adding new firewalls to Panorama to replace an old firewall already in Panorama. 

pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DeviceGroupName actions=target-Add-Device:011122211122  'filter=(target has 099988899988)'

Update all security policies that have security profile group set to default and set it to security profile group spg-internal. 

pa_rule-edit in=api://10.1.1.1. ruleType=security location=DeviceGroupName actions=securityProfile-Group-Set:spg-internal 'filter=(secprof group.is default)'

To replace destination zone 

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DGName actions=to-Replace:OldZone,NewZone
pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DGName actions=to-Replace:OldZone,NewZone

To replace source zone 

pa_rule-edit in=api://10.1.1.1 ruleType=security location=DGName actions=from-Replace:OldZone,NewZone
pa_rule-edit in=api://10.1.1.1 ruleType=nat location=DGName actions=from-Replace:OldZone,NewZone

You can also use the following rule types

  • security
  • nat
  • decryption
paloaltonetworks/tools/pan_configurator.1589881389.txt.gz · Last modified: (external edit)