How to automatically bulk import address objects into Palo Alto Firewall.
I couldn't possibly count the number of times I've needed to import a huge long list of objects into a firewalls configuration for some sort of IT project. These days the thought of manually adding each object one by one using Web-UI button clicks fills me with dread. I recently had a request from a customer to add 80 plus Azure Public IP addresses into their Palo Alto firewalls. I needed an automated way of adding all these objects and fast.
Fortunately a few google searches later I came across a solution. A gentleman called Irek Romaniukn has created an automation tool that can create and load address objects from a CSV from the CLI, this is super handy, and a sure way of avoiding a long day of data inputting. What's it called I hear you say, drum roll please...its called pan-cli and it can be downloaded from Irek's GitHub repository.
Before I continue, I wanted to point out that my daily driver is a MacBook Pro and this tool needs to be run on a Windows device, which was easily solved by running it on my Windows 10 virtual machine, a small price to pay for such a valuable tool. Anyway, I downloaded the zip file from the repository and copied it to a specific folder on my C:\ drive which I could easily access from the command prompt.
By issuing the pan-cli.exe command you get an intuitive, easy to read list. I had a quick scan through the available commands and could see that the load command was the one for me.
The IP objects that I needed to import into Palo Alto Networks firewall were contained in a standard Microsoft Excel spreadsheet, which you can see below. The correct data needed to be typed into the correct columns. Column A contains the object name, column B is the type of object, column C is the actual IP address, column D is the object's description and finally, column E is the object group name. The next step was to save the file in a CSV format, I used a short name to make it simpler when issuing the load command from the command line.
With the CSV file copied to the same folder as the pan-cli.exe, I was ready to issue the command. I open up a command prompt and checked connectivity to the firewall mgmt interface, then changed the directory to C:\PANTools\Automation folder and issued the dir command to confirm I could see the CSV file and the pan-cli.exe. With all systems go, I issued the Pan-cli.exe load -f "Azure.csv" -u admin -p "Pal0Alt0" -d "192.168.21.21" and hit enter.
The -f flag was to specify the CSV file to copy the objects from, the -u was the username string, the -p was for the password string and the -d was to specify the device IP address. There are some additional options like -g to copy to a specific Panorama device group or -s to create them as a shared Panorama object. However, I was only pushing the config directly to a standalone firewall so I didn't need additional flags.
The config push was pretty fast, it took approx 20-25 secs to push 83 IP address objects to the firewall. That's way faster than going through all of those Web-UI button clicks right?
In summary, this little gem will do all the heavy lifting for you, saving you a serious amount of time. I hope you guys find it useful too!
If you want to see a step-by-step tutorial, please checkout my YouTube video.
Copyright 2017 @IrekRomaniuk. Package using github.com/scottdware/go-panos by Scott Ware to interact with Palo Alto and Panorama devices using the XML API.
You can download the pan-cli master zip file by completing the form below.