Skip to content

type=service‐merger

Jump to bottom
Sven Waschkut edited this page Oct 6, 2023 · 1 revision

reduce duplicate Service objects

Palo Alto Networks Panorama or FW config can grow big. To easily check and reduce duplicate service objects with e.g. same value, use this UTIL:

pan-os-php type=service-merger in=inputconfig.xml out=mergedconfig.xml dupalgorithm=SameDstSrcPorts location=any allowmergingwithupperlevel exportCSV=merged_objects.html outputformatset=setcommands.txt | tee logfile.txt

pan-os-php type=service-merger help

  • DupAlgorithm=SameDstSrcPorts|SamePorts|WhereUsed Specifies how to detect duplicates:
  • SameDstSrcPorts: objects with same Dst and Src ports will be replaced by the one picked (default)
  • SamePorts: objects with same Dst ports will be replaced by the one picked
  • WhereUsed: objects used exactly in the same location will be merged into 1 single object and all ports covered by these objects will be aggregated

argument description:

  • location=any

    • take each DeviceGroup (Panorama) / VirtualSystem (Firewall) and check if there are duplicate Service objects available, based on the picked "DupAlgorithm"

  • allowmergingwithupperlevel

    • this argument allows the script to check the full DeviceGroup-Hierarchy UP and Down (parentDGs and childDGs) if there are Address Objects available, which can be merged based on the picked "DupAlgorithm"

  • exportCSV=merged_objects.html

    • this file can be opened with EXCEL (please use ending .xls) or any WebBrowser (.html)

    • the content, is the object value, the kept object name and all removed objects

    • objects which can not be merged are exported with more information into 'skip-FILENAME' where FILENAME is from argument exportCSV

  • outputformatset=setcommands.txt

    • all changes done during the merger part are listed in PAN-OS set commands syntax
    • with this it is possible to prepare a Change Request and put in the expected commands you will during the Change
    • please

  • | tee logfile.txt

    • very helpful if detailed log information must be stored about what the script changed

if more validation on the Rule part is needed:

  • run the following command before "address-merger"

pan-os-php type=rule in= inputconfig.xml ruletype=security 'actions=exporttoexcel:file_orig.html,resolveaddresssummary|resolveservicesummary' location=any

  • and run it after the above pan-os-php type=service-merger script run

pan-os-php type=rule in=mergedconfig.xml ruletype=security 'actions=exporttoexcel:file_merged.html,resolveaddresssummary|resolveservicesummary' location=any

the both created files: file_orig.html and file_merged.html contains detailed information for each security rule about destination and source resolution to the IP-Address behind Address and Adress-Group Objects

Clone this wiki locally