How to Export Palo Alto Networks Firewall Configuration to a Spreadsheet

Sometimes it becomes very important and necessary to have the configured policies, routes, and interfaces in a spreadsheet to be shared with the Design Team, the Audit team and for some other purposes. The below method can help in getting the Palo Alto Configuration in a spreadsheet as and when you require. This requires little manual effort and just a few minutes of your time. Here you go:

1. First of all, login to your Palo Alto Firewall and navigate to Device > Setup > Operations and click on Export Named Configuration Snapshot:

2. From the pop-up menu select running-config.xml, and click OK. Save the file to a desired location.

3. To export the Security Policies into a spreadsheet, please do the following steps:

a.  Make a copy of the running-config.xml and rename it as policies.xml. We will use more copies of running.xml for more operations later.
b.  Open the policies.xml in a notepad++, wordpad, editpadlite kind of editor. Avoid normal notepad. If you don’t have notepad++ or editpadlite, use wordpad (inbuilt in your windows).
c.  Search for a keyword <security> including the < and > character:

d.  Delete all the text before the tag <security>
e.  Search for a keyword </security> including the < and > character:

f.  Delete all the text after the tag </security>
g.  Now do a find and replace option for keyword <member>, replace <member> with blank (nothing)

h.  Now similarly do a find and replace option for keyword </member>, replace
 </member> with blank (nothing)

i.  Save the file and close it.
j.  Open a new Excel Spreadsheet and click on MenuBar DATA > From Other Sources > From XML Data import.

k.  From the pop up window, browse and select the policies.xml file. Click on Open, then click OK and then again click OK.

l.  There you go, you have all your policies in a spreadsheet.
m. If you see some alignment issue in the cells, quickly press Ctrl+h (find and replace operation), and replace “ “ (space) with blank(nothing) as below:

n. You will see your policies in an excellent and formatted table.

Learn how to enable pre-emptive maintenance of Palo Alto Networks Firewalls.

4. To export AddressObjects , create a copy of running-config.xml and save it as address.xml.

a. Open interfaces.xml and search for tag <address> and delete all the text before this tag.
b. Similarly search for </address> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.

5. To export Address-Groups, create a copy of running-config.xml and save it as address-group.xml.

a. Open interfaces.xml and search for tag <address-group> and delete all the text before this tag.
b. Similarly search for </address-group> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.

6. To export PBF policies, create a copy of running-config.xml and save it as pbf.xml.

a. Open interfaces.xml and search for tag <pbf> and delete all the text before this tag.
b. Similarly search for </pbf> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.

7. To export interfaces, create a copy of running-config.xml and save it as interfaces.xml.
a. Open interfaces.xml and search for tag <interface> and delete all the text before this tag.
b. Similarly search for </interface> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.

8. To export Zones, create a copy of running-config.xml and save it as zones.xml.

a. Open interfaces.xml and search for tag <zone> and delete all the text before this tag.
b. Similarly search for </zone> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.

Please post your suggestions, if you require more tips on more config parameters.

 

Rohit Singla is a Security Consultant. He has been working with Palo Alto Network firewalls for about seven years. If you want to contribute as well, click here.

For better insight into simplifying your network and tips on building an unbreakable one, take indeni out for a spin in your network environment and see what lurking issues await.