panco.dev | Documentation Home | Policy Command
CSV Structure - Policies
This guide will help show you the way to structure your CSV file(s) for use when working with the various policy actions - importing or modifying rules, exporting rules, moving rules, grouping rules by tags.
Importing A Security Policy
When importing a CSV file to create security rules or modify them, the file MUST have the following fields in this order:
Name,Type,Description,Tags,SourceZones,SourceAddresses,NegateSource,SourceUsers,HipProfiles,
DestinationZones,DestinationAddresses,NegateDestination,Applications,Services,Categories,Action,
LogSetting,LogStart,LogEnd,Disabled,Schedule,IcmpUnreachable,DisableServerResponseInspection,
Group,Virus,Spyware,Vulnerability,UrlFiltering,FileBlocking,WildFireAnalysis,DataFiltering
TIP: The easiest way to make the modifications all while adhering to this order, is to export the security policy first (using the
panco policy exportcommand), and then modifying the output file. For example:
panco policy export -d firewall -u admin -g "Device-Group" --type security --file <file-to-output>
NOTE: When ran against Panorama, be sure to use the
--locationflag to specify which rulebase to import/create the rules on. By default this is the “pre” rulebase.
When you create rules, or want to modify existing values of a rule, you DO NOT need to have every column that is listed above filled out with a value. You still NEED them to be defined/listed, but they can be empty.
Any field that you want to add or modify you need to have a value there, but at the very least, you MUST have values in the following fields:
Name,Type,Action
Importing A NAT Policy
When importing a CSV file to create NAT rules or modify them, the file MUST have the following columns in this order:
Name,Type,Description,Tags,SourceZones,DestinationZone,ToInterface,Service,SourceAddresses,
DestinationAddresses,SatType,SatAddressType,SatTranslatedAddresses,SatInterface,SatIpAddress,
SatFallbackType,SatFallbackTranslatedAddresses,SatFallbackInterface,SatFallbackIpType,
SatFallbackIpAddress,SatStaticTranslatedAddress,SatStaticBiDirectional,DatType,DatAddress,
DatPort,DatDynamicDistribution,Disabled
TIP: The easiest way to make the modifications all while adhering to this order, is to export the NAT policy first (using the
panco policy exportcommand), and then modifying the output file. For example:
panco policy export -d firewall -u admin -g "Device-Group" --type nat --file <file-to-output>
NOTE: When ran against Panorama, be sure to use the
--locationflag to specify which rulebase to import/create the rules on. By default this is the “pre” rulebase.
When you create rules, or want to modify existing values of a rule, you DO NOT need to have every column that is listed above filled out with a value. You still NEED them to be defined/listed, but they can be empty.
Any field that you want to add or modify you need to have a value there, but at the very least, you MUST have values in the following fields:
Name,Type,ToInterface
Import A Policy-Based Forwarding Policy
When importing a CSV file to create policy-based forwarding rules or modify them, the file MUST have the following columns in this order:
Name,Description,Tags,FromType,FromValues,SourceAddresses,SourceUsers,NegateSource,
DestinationAddresses,NegateDestination,Applications,Services,Schedule,Disabled,Action,
ForwardVsys,ForwardEgressInterface,ForwardNextHopType,ForwardNextHopValue,ForwardMonitorProfile,
ForwardMonitorIpAddress,ForwardMonitorDisableIfUnreachable,EnableEnforceSymmetricReturn,
SymmetricReturnAddresses,ActiveActiveDeviceBinding,NegateTarget,Uuid
TIP: The easiest way to make the modifications all while adhering to this order, is to export the PBF policy first (using the panco policy export command),
and then modifying the output file. For example:
panco policy export -d firewall -u admin -g "Device-Group" --type pbf --file <file-to-output>
NOTE: When ran against Panorama, be sure to use the
--locationflag to specify which rulebase to import/create the rules on. By default this is the “pre” rulebase.
Importing A Decryption Policy
When importing a CSV file to create Decryption rules or modify them, the file MUST have the following columns in this order:
Name,Description,SourceZones,SourceAddresses,NegateSource,SourceUsers,DestinationZones
DestinationAddresses,NegateDestination,Tags,Disabled,Services,UrlCategories,Action
DecryptionType,SslCertificate,DecryptionProfile,NegateTarget,ForwardingProfile,GroupTag
SourceHips,DestinationHips,LogSuccessfulTlsHandshakes,LogFailedTlsHandshakes,LogSetting,SslCertificates
TIP: The easiest way to make the modifications all while adhering to this order, is to export the decryption policy first (using the
panco policy exportcommand), and then modifying the output file. For example:
panco policy export -d firewall -u admin -g "Device-Group" --type decrypt --file <file-to-output>
NOTE: When ran against Panorama, be sure to use the
--locationflag to specify which rulebase to import/create the rules on. By default this is the “pre” rulebase.
When you create rules, or want to modify existing values of a rule, you DO NOT need to have every column that is listed above filled out with a value. You still NEED them to be defined/listed, but they can be empty.
Editing A Security, NAT, Decryption or Policy-Based Forwarding Policy/Rules – IMPORTANT
When you edit rules using the panco policy edit command, there are a few things to be aware of. The edit command uses the Palo Alto API edit action, instead of the set action that is used when using the import command. You can read more about the differences of the edit and set on Palo Alto’s API request types documentation page.
Set and edit actions differ in two important ways:
- Set actions add, update, or merge configuration nodes, while edit actions replace configuration nodes.
- Set actions are non-destructive and are only additive, while edit actions can be destructive.
IMPORTANT: Please read and understand the above actions when using the
panco policy editcommand vspanco policy import.
Using the edit command will ultimately be the best way to make changes to rules, such as adding/removing address objects, applications, services, etc.. Similar to the import command, the best way to preserve the current state of the rule(s) you are modifying, is to first export the policy/rules you need to modify using the below command:
panco policy export -d firewall -u admin -g "Device-Group" --type security --file <file-to-output>
Once you have exported the rules, then you can add/remove values from the different fields as needed, before then running the panco policy edit command on the CSV file you just edited.