type=address‐merger - PaloAltoNetworks/pan-os-php GitHub Wiki

reduce duplicate Address objects

Palo Alto Networks Panorama or FW config can grow big. To easily check and reduce duplicate address objects with e.g. same value, use this UTIL:

pan-os-php type=address-merger in=inputconfig.xml out=mergedconfig.xml dupalgorithm=sameaddress location=any allowmergingwithupperlevel exportCSV=merged_objects.html outputformatset=setcommands.txt | tee logfile.txt

pan-os-php type=address-merger help

  • DupAlgorithm=SameAddress | Identical | WhereUsed Specifies how to detect duplicates:
    • SameAddress: objects with same Network-Value will be replaced by the one picked (default)
    • Identical: objects with same network-value and same name will be replaced by the one picked
    • WhereUsed: objects used exactly in the same location will be merged into 1 single object and all ports covered by these objects will be aggregated

argument description:

  • location=any

    • take each DeviceGroup (Panorama) / VirtualSystem (Firewall) and check if there are duplicate Address objects available, based on the picked "DupAlgorithm"

  • allowmergingwithupperlevel

    • this argument allows the script to check the full DeviceGroup-Hierarchy UP and Down (parentDGs and childDGs) if there are Address Objects available, which can be merged based on the picked "DupAlgorithm"

  • exportCSV=merged_objects.html

    • this file can be opened with EXCEL or any WebBrowser
    • the content, is the object value, the kept object name and all removed objects

  • outputformatset=setcommands.txt

    • all changes done during the merger part are listed in PAN-OS set commands syntax
    • with this it is possible to prepare a Change Request and put in the expected commands you will during the Change
    • please

  • | tee logfile.txt

    • very helpful if detailed log information must be stored about what the script changed

if more validation on the Rule part is needed:

  • run the following command to compare rule behaviour before and after the merge task:

pan-os-php type=rule-compare file1=inputconfig.xml file2=mergedconfig.xml