How to add or delete numerous objects from a device group

How to add or delete numerous objects from a device group

1120
Created On 02/14/22 18:56 PM - Last Modified 10/22/25 04:28 AM


Objective


This article will provide examples on how to use the CLI to paste the contents of a text file, which contains the commands that need to be executed to accomplish the goal. This is the summary of the procedure
  1. Identify the command that is to be executed
  2. Create a text file with numerous instances of that command
  3. Setup the Panorama CLI while in Operational Mode (while at the '>' prompt) to accept the pasting of the contents of the text file
  4. Paste the contents of the text file while in Configure Mode ('#)

Environment


  • Panorama
  • PAN-OS 10.1 and earlier
  • CLI (command line interface)
  • Scripting-mode

Procedure


Identify the CLI Command to accomplish the task
 

In the following examples, one must first move from Operational Mode, represented by the > CLI prompt, to Configure Mode, by executing configure at the CLI 
> configure
#
To return to Operational Mode again, execute 
# exit
>
The example below is specific to managing address objects. This can also be applied to other objects that can be revealed when one uses the <TAB> key for command completion: 
# set device-group DG_Lab_VM100-1 <TAB>
+ authorization-code      Authorization code
+ description             Description
+ to-sw-version           Automatically upgrade software to this version for new deployments
> address                 address 
> address-group           address-group 
> application             application 
> application-filter      application-filter 
> application-group       application-group 
> application-tag         application-tag 
> authentication-object   authentication-object 
> device-object           device-object 
> devices                 device serial numbers
> dynamic-user-group      dynamic-user-group 
> email-scheduler         email-scheduler 
> external-list           external-list 
> log-settings            log-settings 
> pdf-summary-report      pdf-summary-report 
> post-rulebase           post-rulebase 
> pre-rulebase            pre-rulebase 
> profile-group           profile-group 
> profiles                profiles 
> reference-templates     directly referred templates/template-stacks
> region                  region 
> report-group            report-group 
> reports                 reports 
> schedule                schedule 
> service                 service 
> service-group           service-group 
> tag                     tag 
> threats                 threats 
> user-group-source       user-group-source 
  <Enter>                 Finish input
 
  1. Create address object command
    • This will add an address object to a specific DG (device group) 
      # set device-group DG_Lab_VM100-1 address host-192-168-55-1 ip-netmask 192.168.55.1
    • This will add an address object to Shared 
      # set shared address host-192-168-55-1 ip-netmask 192.168.55.1
  2. Delete address object command
    • This will delete an address object from a specific DG 
      # delete device-group DG_Lab_VM100-1 address host-192-168-55-1
    • This will delete an address object from Shared 
      # delete shared address host-192-168-55-1
  3. Move command
    • PAN-OS (10.1 and earlier) does not provide a move command for objects

Create a text file of commands


The following are examples of entries that can be added to a text file in advance. Once the text file has all of the entries, the entire contents can be copied and then pasted to the CLI


Using the CLI to add address objects to a DG:

set device-group DG_Lab_VM100-1 address host-192-168-55-1 ip-netmask 192.168.55.1
set device-group DG_Lab_VM100-1 address host-192-168-55-2 ip-netmask 192.168.55.2
set device-group DG_Lab_VM100-1 address host-192-168-55-3 ip-netmask 192.168.55.3

Adding address objects to Shared:

set shared address host-192-168-55-1 ip-netmask 192.168.55.1
set shared address host-192-168-55-2 ip-netmask 192.168.55.2
set shared address host-192-168-55-3 ip-netmask 192.168.55.3

Deleting address objects from a DG:

delete device-group DG_Lab_VM100-1 address host-192-168-55-1
delete device-group DG_Lab_VM100-1 address host-192-168-55-2
delete device-group DG_Lab_VM100-1 address host-192-168-55-3

Delete address objects from Shared:

delete device-group DG_Lab_VM100-1 address host-192-168-55-1
delete device-group DG_Lab_VM100-1 address host-192-168-55-2
delete device-group DG_Lab_VM100-1 address host-192-168-55-3

Set up CLI to accept pasting of commands from the text file

> set cli scripting-mode on
NOTE: Once the CLI is in scripting-mode, normal <TAB> completion to recall a command does not work. You will have to completely type the following command to return the CLI to normal operation 
> set cli scripting-mode off
Once scripting-mode is enabled, get into configure mode 
> configure
# 

Pasting commands to the CLI
 

Enabling CLI scripting-mode allows for the CLI to buffer the individual commands. Hundreds of individual commands can be pasted at one time. It takes time for the buffer to be filled and then utilized. If enough commands are pasted at one time, then the output will produce lines that are a combination of commands being buffered and then executed. 

The output will first look normal

admin@Lab165-4_10-1(primary-active)# 
set device-group DG_Lab_VM100-1 address host-192-168-55-208 ip-netmask 192.168.55.208
set device-group DG_Lab_VM100-1 address host-192-168-55-209 ip-netmask 192.168.55.209
set device-group DG_Lab_VM100-1 address host-192-168-55-210 ip-netmask 192.168.55.210
set device-group DG_Lab_VM100-1 address host-192-168-55-211 ip-netmask 192.168.55.211

Then, some interesting patterns will emerge. Be patient, it will work as long as all of the commands are valid!

set device-group DG_Lab_VM100-1[edit] 

admin@Lab165-4_10-1(primary-active)#  address host-192-168-55-212 ip-netmask 192.168.55.212 set device-group DG_Lab_VM100 [edit]      

admin@Lab165-4_10-1(primary-active)# -1 address host-192-168-55-213 ip-netmask 192.168.55.213 set device-group DG_Lab_VM1 [edit]  
                                   
admin@Lab165-4_10-1(primary-active)# 00-1 address host-192-168-55-214 ip-netmask 192.168.55.214 set device-group DG_Lab_V [edit]                                                                               
admin@Lab165-4_10-1(primary-active)# M100-1 address host-192-168-55-215 ip-netmask 192.168.55.215 set device-group DG_Lab [edit]                                 

admin@Lab165-4_10-1(primary-active)# _VM100-1 address host-192-168-55-216 ip-netmask 192.168.55.216 set device-group DG_L [edit]          

admin@Lab165-4_10-1(primary-active)# ab_VM100-1 address host-192-168-55-217 ip-netmask 192.168.55.217 set device-group DG [edit]   
                        
admin@Lab165-4_10-1(primary-active)# _Lab_VM100-1 address host-192-168-55-218 ip-netmask 192.168.55.218 set device-group  [edit]                                                                 
admin@Lab165-4_10-1(primary-active)# DG_Lab_VM100-1 address host-192-168-55-219 ip-netmask 192.168.55.219 set device-grou [edit]             

admin@Lab165-4_10-1(primary-active)# p DG_Lab_VM100-1 address host-192-168-55-220 ip-netmask 192.168.55.220 set device-gr [edit]                                                   
admin@Lab165-4_10-1(primary-active)# oup DG_Lab_VM100-1 address host-192-168-55-221 ip-netmask 192.168.55.221 set device- [edit]                                                                               
admin@Lab165-4_10-1(primary-active)# group DG_Lab_VM100-1 address host-192-168-55-222 ip-netmask 192.168.55.222


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NDRCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail