panco.dev | Documentation Home | Policy Command

Editing A Policy

Edit a security, NAT, Decryption or Policy-Based Forwarding policy

Usage:
  panco policy edit [flags]

Flags:
  -d, --device string        Device to connect to
  -g, --devicegroup string   Device Group name when importing to Panorama (default "shared")
  -f, --file string          Name of the CSV file to export to
  -h, --help                 help for modify
  -l, --location string      Location of the rulebase - <pre|post> (default "pre")
  -t, --type string          Type of policy to import - <security|nat|decrypt|pbf>
  -u, --user string          User to connect to the device as
  -v, --vsys string          Vsys name when importing to a firewall (default "vsys1")

Overview

Using the edit command allows you to edit existing rules, by adding or removing entries from each of the rule fields. You can modify/edit the following types of policies at this time:

• Security
• NAT
• Decryption
• Policy-Based Forwarding (PBF)

Please use the below link as a guide on how to structure your CSV file when modifying rules:

CSV Structure - Policies

Important Tips

When you edit rules using the panco policy edit command, there are a few things to be aware of. The edit command uses the Palo Alto API edit action, instead of the set action that is used when using the import command. You can read more about the differences of the edit and set on Palo Alto’s API request types documentation page.

Set and edit actions differ in two important ways:

• Set actions add, update, or merge configuration nodes, while edit actions replace configuration nodes.
• Set actions are non-destructive and are only additive, while edit actions can be destructive.

IMPORTANT: Please read and understand the above actions when using the panco policy edit command vs panco policy import.

Using the edit command will ultimately be the best way to make changes to rules, such as adding/removing address objects, applications, services, etc.. Similar to the import command, the best way to preserve the current state of the rule(s) you are modifying, is to first export the policy/rules you need to modify using the below command:

panco policy export -d firewall -u admin -g "Device-Group" --type security --file <file-to-output>

Once you have exported the rules, then you can add/remove values from the different fields as needed, before then running the panco policy edit command on the CSV file you just edited.