How to Import and Export local Address and Address Objects between Firewalls
167179
Created On 09/25/18 17:39 PM - Last Modified 12/20/23 21:17 PM
Objective
This document describes how to import and export address and address objects from one firewall to another without having to redefine them manually. This document can be used in scenarios where multiple Palo Alto Networks firewalls at different sites want to leverage an existing address/ address-group configuration.
Environment
- Palo Alto Firewall
- Importing locally stored Address Objects
Procedure
- Verify from the existing firewall, that Address and Address-objects exists using GUI: Objects > Address and Address Groups
- From the CLI, set the configuration output format to 'set' and extract address and address/group information: (Note: Works for locally stored address only, not Panorama pushed Addresses)
> set cli config-output-format set > configure Entering configuration mode [edit] # show address set address google fqdn google.com set address google description "FQDN address object for google.com"set address mgmt-L3 ip-netmask 10.66.18.0/23 set address mgmt-L3 description "IP Netmask address object for mgmt-L3" set address trust-L3 ip-netmask 10.66.20.0/23 set address untrust-L3 ip-netmask 10.66.24.0/23 set address dmz-L3 ip-netmask 10.66.22.0/23 [edit] # show address-group set address-group Inside static [ dmz-L3 mgmt-L3 trust-L3 ] set address-group Outside static [ google untrust-L3 ] [edit] - Copy all the 'set' commands from the above output to a Notepad file, and edit as desired for other firewalls. For address-groups, make sure that the entire set command is copied/pasted including the '[ ]' part
- Login into the CLI of other firewalls, move the CLI config-output-format to 'set' and paste the commands into the configuration mode and commit the configuration.
> set cli config-output-format set > configure # <paste all the set commands here> # commit