type=service‐merger - PaloAltoNetworks/pan-os-php GitHub Wiki

reduce duplicate Service objects

Palo Alto Networks Panorama or FW config can grow big. To easily check and reduce duplicate service objects with e.g. same value, use this UTIL:

pan-os-php type=service-merger in=inputconfig.xml out=mergedconfig.xml dupalgorithm=SameDstSrcPorts location=any allowmergingwithupperlevel exportCSV=merged_objects.html outputformatset=setcommands.txt | tee logfile.txt

pan-os-php type=service-merger help

  • DupAlgorithm=SameDstSrcPorts|SamePorts|WhereUsed Specifies how to detect duplicates:
  • SameDstSrcPorts: objects with same Dst and Src ports will be replaced by the one picked (default)
  • SamePorts: objects with same Dst ports will be replaced by the one picked
  • WhereUsed: objects used exactly in the same location will be merged into 1 single object and all ports covered by these objects will be aggregated

argument description:

  • location=any

    • take each DeviceGroup (Panorama) / VirtualSystem (Firewall) and check if there are duplicate Service objects available, based on the picked "DupAlgorithm"

  • allowmergingwithupperlevel

    • this argument allows the script to check the full DeviceGroup-Hierarchy UP and Down (parentDGs and childDGs) if there are Address Objects available, which can be merged based on the picked "DupAlgorithm"

  • exportCSV=merged_objects.html

    • this file can be opened with EXCEL (please use ending .xls) or any WebBrowser (.html)

    • the content, is the object value, the kept object name and all removed objects

    • objects which can not be merged are exported with more information into 'skip-FILENAME' where FILENAME is from argument exportCSV

  • outputformatset=setcommands.txt

    • all changes done during the merger part are listed in PAN-OS set commands syntax
    • with this it is possible to prepare a Change Request and put in the expected commands you will during the Change
    • please

  • | tee logfile.txt

    • very helpful if detailed log information must be stored about what the script changed

if more validation on the Rule part is needed:

  • run the following command before "address-merger"

pan-os-php type=rule in= inputconfig.xml ruletype=security 'actions=exporttoexcel:file_orig.html,resolveaddresssummary|resolveservicesummary' location=any

  • and run it after the above pan-os-php type=service-merger script run

pan-os-php type=rule in=mergedconfig.xml ruletype=security 'actions=exporttoexcel:file_merged.html,resolveaddresssummary|resolveservicesummary' location=any

the both created files: file_orig.html and file_merged.html contains detailed information for each security rule about destination and source resolution to the IP-Address behind Address and Adress-Group Objects