What I really want to do is find all the rules that do not have a description (a ding on BPA) and then somehow copy the name of the rule into the description within CLI (hopefully automated). Doing this by hand in the GUI is going to take an eternity.
top of page
All things Palo Alto Networks
Forum: Forum
bottom of page
Last follow up for adding a Group Rules by Tag in command line
# set device-group "My Devices" post-rulebase security rules "Rule Name" group-tag "Tag Name"
While this may seem like the hard way, please remember that I concatenated over 1200 Rules that needed the description added as well as Group Rules by Tag.
Reaper@PA-VM2# set rulebase security rules myrule group-tag mytag And panorama Reaper@Panorama# set device-group mydevices pre-rulebase security rules myrule group-tag mytag
@Reaper Bonus points if you can tell me how to add Group Rules By Tag via command line :)
Ok, I think I have a (believe it or not) viable solution.
This would be for anyone who comes across this and would like to bulk add description to security rules. Having a blank description dings on the BPA.
1. Find the ones that are none as stated above.
2. use concatenate in Excel to come up with what it is that you need:
# set device-group MyDeviceGroup post-rulebase security rules "Rule Name" description "Enter Text here."
I really can't thank you enough @Reaper for helping me work though this issue.
How do i get to a device group via cli on panorama?
Do this > Set cli config-output-format set > Configure # show rulebase security This returns your entire rulebase in set format, may help build descriptions quickly
If there is any way to just add a description to a security rule via cli I think I can script it out from there. I just can't find if there is a way to add a description to a security rule via cli.
At the end of the day, the long way is for me to just export the csv file and sort the Description column to "none". Which is fine, but then that brings me to the other part of my question. Via CLI, is there a way to copy the Rule name into the description field?
Sorry, not sure what you mean flip it into "is present"
If that works, try adding 'not'
Yeah there needs to be a <description> for it to match 'none' Wait.... See if you can flip it into "is present"
Thought I might have had it for a moment. If you pick to use the column Description and there is nothing in there it shoes up as none on the column. Tried searching on (description contains 'none') but no dice.
So how does the BPA know when the field is empty? That's the part I don't understand. There has to be a way because they are doing it?
Hehe yeah that's an issue. Searching is basically matching a string against the config xml. All default configuration has no element in the config file, adding a dewcriotion not only adds the text of the description, but also the containing elements ( <description></description>). Any rules that never had a description won't have these elements so can't be found in searches for an empty element (as the element doesn't exist) This only works if there once was a description that was later removed, which leaves the elements in the xml
I found this https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClloCAC
That you reaper wrote up, but is the search for description for null not possible?