panco.dev | Documentation Home | Policy Command
CSV Structure - Policies
This guide will help show you the way to structure your CSV file(s) for use when working with the various policy actions - importing or modifying rules, exporting rules, moving rules, grouping rules by tags.
The CSV structure between a firewall device and Panorama is a little different, whereas the Panorama file needs to have the following two fields at the beginning, along with all of the rest:
DeviceGroup,Location
TIP: The easiest way to make the modifications all while adhering to the CSV format, order, is to export the policy first (using the
panco policy exportcommand), and then modifying the output file. For example:
panco policy export -d firewall -u admin -g "Device-Group" --type security --file <file-to-output>
Sample CSV files are linked below each rule section as well.
Importing A Security Policy
When importing a CSV file to create security rules or modify them, the file MUST have the following fields in this order:
For a Firewall
Name,Type,Description,Tags,SourceZones,SourceAddresses,NegateSource,SourceUsers,HipProfiles,
DestinationZones,DestinationAddresses,NegateDestination,Applications,Services,Categories,Action,
LogSetting,LogStart,LogEnd,Disabled,Schedule,IcmpUnreachable,DisableServerResponseInspection,
Group,Virus,Spyware,Vulnerability,UrlFiltering,FileBlocking,WildFireAnalysis,DataFiltering
SAMPLE Firewall Security Rules CSV
For Panorama
DeviceGroup,Location,Name,Type,Description,Tags,SourceZones,SourceAddresses,NegateSource,SourceUsers,HipProfiles,
DestinationZones,DestinationAddresses,NegateDestination,Applications,Services,Categories,Action,
LogSetting,LogStart,LogEnd,Disabled,Schedule,IcmpUnreachable,DisableServerResponseInspection,
Group,Virus,Spyware,Vulnerability,UrlFiltering,FileBlocking,WildFireAnalysis,DataFiltering
SAMPLE Panorama Security Rules CSV
Importing A NAT Policy
When importing a CSV file to create NAT rules or modify them, the file MUST have the following columns in this order:
For a Firewall
Name,Type,Description,Tags,SourceZones,DestinationZone,ToInterface,Service,SourceAddresses,
DestinationAddresses,SatType,SatAddressType,SatTranslatedAddresses,SatInterface,SatIpAddress,
SatFallbackType,SatFallbackTranslatedAddresses,SatFallbackInterface,SatFallbackIpType,
SatFallbackIpAddress,SatStaticTranslatedAddress,SatStaticBiDirectional,DatType,DatAddress,
DatPort,DatDynamicDistribution,Disabled
For Panorama
DeviceGroup,Location,Name,Type,Description,Tags,SourceZones,DestinationZone,ToInterface,Service,SourceAddresses,
DestinationAddresses,SatType,SatAddressType,SatTranslatedAddresses,SatInterface,SatIpAddress,
SatFallbackType,SatFallbackTranslatedAddresses,SatFallbackInterface,SatFallbackIpType,
SatFallbackIpAddress,SatStaticTranslatedAddress,SatStaticBiDirectional,DatType,DatAddress,
DatPort,DatDynamicDistribution,Disabled
Import A Policy-Based Forwarding Policy
When importing a CSV file to create policy-based forwarding rules or modify them, the file MUST have the following columns in this order:
For a Firewall
Name,Description,Tags,FromType,FromValues,SourceAddresses,SourceUsers,NegateSource,
DestinationAddresses,NegateDestination,Applications,Services,Schedule,Disabled,Action,
ForwardVsys,ForwardEgressInterface,ForwardNextHopType,ForwardNextHopValue,ForwardMonitorProfile,
ForwardMonitorIpAddress,ForwardMonitorDisableIfUnreachable,EnableEnforceSymmetricReturn,
SymmetricReturnAddresses,ActiveActiveDeviceBinding,NegateTarget,Uuid
For Panorama
DeviceGroup,Location,Name,Description,Tags,FromType,FromValues,SourceAddresses,SourceUsers,NegateSource,
DestinationAddresses,NegateDestination,Applications,Services,Schedule,Disabled,Action,
ForwardVsys,ForwardEgressInterface,ForwardNextHopType,ForwardNextHopValue,ForwardMonitorProfile,
ForwardMonitorIpAddress,ForwardMonitorDisableIfUnreachable,EnableEnforceSymmetricReturn,
SymmetricReturnAddresses,ActiveActiveDeviceBinding,NegateTarget,Uuid
Importing A Decryption Policy
When importing a CSV file to create Decryption rules or modify them, the file MUST have the following columns in this order:
For a Firewall
Name,Description,SourceZones,SourceAddresses,NegateSource,SourceUsers,DestinationZones
DestinationAddresses,NegateDestination,Tags,Disabled,Services,UrlCategories,Action
DecryptionType,SslCertificate,DecryptionProfile,NegateTarget,ForwardingProfile,GroupTag
SourceHips,DestinationHips,LogSuccessfulTlsHandshakes,LogFailedTlsHandshakes,LogSetting,SslCertificates
SAMPLE Firewall Decryption Rules CSV
For Panorama
DeviceGroup,Location,Name,Description,SourceZones,SourceAddresses,NegateSource,SourceUsers,DestinationZones
DestinationAddresses,NegateDestination,Tags,Disabled,Services,UrlCategories,Action
DecryptionType,SslCertificate,DecryptionProfile,NegateTarget,ForwardingProfile,GroupTag
SourceHips,DestinationHips,LogSuccessfulTlsHandshakes,LogFailedTlsHandshakes,LogSetting,SslCertificates
SAMPLE Panorama Decryption Rules CSV
Editing A Security, NAT, Policy-Based Forwarding or Decryption Policy/Rules – IMPORTANT
When you edit rules using the panco policy edit command, there are a few things to be aware of. The edit command uses the Palo Alto API edit action, instead of the set action that is used when using the import command. You can read more about the differences of the edit and set on Palo Alto’s API request types documentation page.
Set and edit actions differ in two important ways:
- Set actions add, update, or merge configuration nodes, while edit actions replace configuration nodes.
- Set actions are non-destructive and are only additive, while edit actions can be destructive.
IMPORTANT: Please read and understand the above actions when using the
panco policy editcommand vspanco policy import.
Using the edit command will ultimately be the best way to make changes to rules, such as adding/removing address objects, applications, services, etc.. Similar to the import command, the best way to preserve the current state of the rule(s) you are modifying, is to first export the policy/rules you need to modify using the below command:
panco policy export -d firewall -u admin -g "Device-Group" --type security --file <file-to-output>
Once you have exported the rules, then you can add/remove values from the different fields as needed, before then running the panco policy edit command on the CSV file you just edited.