Skip to content

type=address‐merger

Jump to bottom
Sven Waschkut edited this page Oct 6, 2023 · 1 revision

reduce duplicate Address objects

Palo Alto Networks Panorama or FW config can grow big. To easily check and reduce duplicate address objects with e.g. same value, use this UTIL:

pan-os-php type=address-merger in=inputconfig.xml out=mergedconfig.xml dupalgorithm=sameaddress location=any allowmergingwithupperlevel exportCSV=merged_objects.html outputformatset=setcommands.txt | tee logfile.txt

pan-os-php type=address-merger help

  • DupAlgorithm=SameAddress | Identical | WhereUsed Specifies how to detect duplicates:
    • SameAddress: objects with same Network-Value will be replaced by the one picked (default)
    • Identical: objects with same network-value and same name will be replaced by the one picked
    • WhereUsed: objects used exactly in the same location will be merged into 1 single object and all ports covered by these objects will be aggregated

argument description:

  • location=any

    • take each DeviceGroup (Panorama) / VirtualSystem (Firewall) and check if there are duplicate Address objects available, based on the picked "DupAlgorithm"

  • allowmergingwithupperlevel

    • this argument allows the script to check the full DeviceGroup-Hierarchy UP and Down (parentDGs and childDGs) if there are Address Objects available, which can be merged based on the picked "DupAlgorithm"

  • exportCSV=merged_objects.html

    • this file can be opened with EXCEL or any WebBrowser
    • the content, is the object value, the kept object name and all removed objects

  • outputformatset=setcommands.txt

    • all changes done during the merger part are listed in PAN-OS set commands syntax
    • with this it is possible to prepare a Change Request and put in the expected commands you will during the Change
    • please

  • | tee logfile.txt

    • very helpful if detailed log information must be stored about what the script changed

if more validation on the Rule part is needed:

  • run the following command to compare rule behaviour before and after the merge task:

pan-os-php type=rule-compare file1=inputconfig.xml file2=mergedconfig.xml

Clone this wiki locally