deleting all addresses in Palo Alto Networks firewall

if you somehow end up having hundreds of address objects in a PAN firewall and you would like to delete all of them, good luck!
probably to prevent accidental removal there is no way on GUI as of now on 7.1.x releases (or I don’t know yet)
but if you want to you can use the following CLI option.

>set cli config-output-format set
>config
#show address 

copy the output you get on the previous “show address” command and paste into a file e.g “address.txt” in a Linux host then do
grab the first 3 lines

for example our file may contain the followings;

set address subnet10 ip-netmask 10.0.0.0/8
set address subnet172 ip-netmask 172.16.0.0/12
set address subnet192 ip-netmask 192.168.0.0/16
set address subnet127 ip-netmask 127.0.0.0/8
set address subnet169 ip-netmask 169.254.0.0/16
set address subnet224 ip-netmask 224.0.0.0/3
cat address.txt | sed 's/set/delete/g' | awk '{print $1 " " $2 " " $3}'

by doing this you create the delete statements of address objects. Your output should be like this

delete address subnet10
delete address subnet172
delete address subnet192
delete address subnet127
delete address subnet169
delete address subnet224

now you need to paste this on PAN cli. Depending on the number of objects you may need to enable scripting mode

> set cli scripting-mode on
> config

and then paste the delete commands and commit. That should be it!

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


2 thoughts on “deleting all addresses in Palo Alto Networks firewall”

Leave a Reply to rtoodtooCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading