The below script will make it easier to create bulk address objects on a Palo Alto Networks firewall.
Supported input: 192.168.1.0/24, 192.168.2.2, 172.16.1.1/32, etc., separated by comma or anything.
You can’t define the subnet mask in dot-decimal notation, i.e., 255.255.255.0, 255.255.255.255, etc.
You need to define the Group Name and IP Addresses separately with space or anything.
We will automatically create separate address groups with 500 IP addresses in each group.
Please share your valuable feedback and suggestions using Contacting Us.
Support our work:
If you appreciate what we do and would like to contribute to our efforts, we kindly ask you to consider buying us a coffee. Your small donation can go a long way in helping us cover the costs of hosting, maintenance, and further development.
Please consider buying us a coffee ( or 2 ) as a token of appreciation.
We are always thankful for your never-ending support.
How we can edit the security policy in Palo Alto Firewall through CLI
Like we need more IP Address into the security policy without creating object and Group.
We call IPs directly into the policy as the address Object limit exhausted/Fully occupied.
So we created a policy and adding the IPs into that policy one by one and we required to add bulk of IPs in the existing policy
This is a wonderful tool, and I appreciate the video that pointed me to it. This doesn’t process IPv6 addresses. Any chance you can make it work on those?
thank you so much for the amazing tool.
Thank you so much for making this
I really appreciate your work.
Please continue this in the future too
Really, I impress. Wonderful tools
Hello
I followed the exact steps in the video but when I copy/paste the output in the Panorama cli session I get invalid syntax error.
In our environment we created objects in Panorama and then push to all firewalls.
We have four Device Groups in Panorama and I would like to add the addresses to Device Group: External
@Panorama> set cli config-output-format set
set cli scripting-mode on
@Panorama> set cli scripting-mode on
configure
set address 101.109.179.0-24 ip-netmask 101.109.179.0/24
set address 101.128.71.0-24 ip-netmask 101.128.71.0/24
@Panorama> Entering configuration mode
set address 101.32.194.0-24 ip-netmask 101.32.194.0/24
set address 101.43.191.0-24 ip-netmask 101.43.191.0/24
set address 101.51.157.0-24 ip-netmask 101.51.157.0/24
set address 102.0.1.0-24 ip-netmask 102.0.1.0/24
[edit]
@Panorama#
Invalid syntax.
set address 102.0.2.0-24 ip-netmask 102.0.2.0/24
set address 102.132.19.0-24 ip-netmask 102.132.19.0/24
set address 102.132.20.0-24 ip-netmask 102.132.20.0/24
[edit]
@Panorama#
Invalid syntax.
set address 102.164.208.0-24 ip-netmask 102.164.208.0/24
set address 102.186.123.0-24 ip-netmask 102.186.123.0/24
set address 102.214.84.0-24 ip-netmask 102.214.84.0/24
[edit]
@Panorama#
Invalid syntax.
set address 102.216.68.0-24 ip-netmask 102.216.68.0/24
set address 102.219.205.0-24 ip-netmask 102.219.205.0/24
set address 102.220.158.0-24 ip-netmask 102.220.158.0/24
set address 102.22.117.0-24 ip-netmask 102.22.117.0/24
[edit]
@Panorama#
Invalid syntax.
set address 102.223.221.0-24 ip-netmask 102.223.221.0/24
set address 102.36.163.0-24 ip-netmask 102.36.163.0/24
set address 102.36.230.0-24 ip-netmask 102.36.230.0/24
set address 102.50.247.0-24 ip-netmask 102.50.247.0/24
[edit]
@Panorama#
Invalid syntax.
set address 1.0.252.0-24 ip-netmask 1.0.252.0/24
set address 102.67.169.0-24 ip-netmask 102.67.169.0/24
[edit]
@Panorama#
Invalid syntax.
set address 102.69.177.0-24 ip-netmask 102.69.177.0/24
set address 102.69.5.0-24 ip-netmask 102.69.5.0/24
set address 102.85.178.0-24 ip-netmask 102.85.178.0/24
set address 102.88.84.0-24 ip-netmask 102.88.84.0/24
Hey, this script is for Palo Alto Networks Firewall only 😉
Yes, I am aware and we have PA 5250 and Panorama VM which are on PANOS 10.2.8.
Can you look at my last two messages and tell me what i need to do for this to work.
Thanks!
Hello
I have a PA 5250 and i copy/paste the output to the cli and i get invalid syntax.
Please help.
Thanks
you may need to add in ‘shared’ to your set address statements to get around the invalid syntax, it is what worked for me.
set shared address ip-netmask
other than that, this tool was perfect, just a quick find all and replace and this helped me get 600 CIDR ranges into our firewall within 20 minutes.