How to Export Palo Alto Networks Firewall Configuration to a Spreadsheet
Rohit Singla describes how to export Palo Alto configurations into a spreadsheet. Read more …
Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.This article describes a step-by-step method to extract Palo Alto Networks firewall configuration sections (security policies, address objects, address-groups, PBF policies, interfaces, and zones) from a running-config XML snapshot and convert them into Excel spreadsheets for design, audit, and operational review. It addresses the real-world need to share, analyze, and document firewall rules and objects in a familiar tabular format by trimming the XML to the desired tags, cleaning member tags and whitespace, and using Excel’s XML Data Import feature. The outcome is a repeatable, low-tool workflow that yields well-formatted spreadsheets to support team collaboration, audits, and troubleshooting in environments using Palo Alto NGFWs.
What is the first step required to export Palo Alto configuration into a spreadsheet?
The first step is to log in to the Palo Alto firewall and navigate to Device > Setup > Operations, then click on Export Named Configuration Snapshot. From the pop-up, select running-config.xml and save that file to a desired location. This running-config.xml is the base file used to create copies for extracting policies, address objects, address-groups, PBF, interfaces, and zones into separate XML files for import into Excel.
How do you prepare the policies.xml file so Excel can import it as a table?
Make a copy of running-config.xml and rename it policies.xml. Open it in an advanced text editor (Notepad++, EditPadLite, or WordPad) and search for the tag; delete everything before . Then find the tag and delete everything after it. Remove all and tags via find-and-replace (replace them with nothing). Save the cleaned file, then in Excel use Data > From Other Sources > From XML Data Import and select policies.xml to load the policies into a spreadsheet. If cell alignment issues occur, use find-and-replace to remove spaces as described.
Can the same method be used to export address objects, PBF rules, interfaces and zones?
Yes. The same workflow is applied to each configuration section: make a copy of running-config.xml and name it appropriately (address.xml, address-group.xml, pbf.xml, interfaces.xml, or zones.xml). Open the copy in a text editor and trim the file to keep only the specific tag block (for example, … for address objects), deleting everything before the opening tag and after the closing tag. Save the file and import it into Excel via Data > From Other Sources > From XML Data Import to produce a formatted table for each section.
Sometimes it becomes very important and necessary to have the configured policies, routes, and interfaces in a spreadsheet to be shared with the Design Team, the Audit team and for some other purposes. The below method can help in getting thePalo Alto Configuration in a spreadsheet as and when you require and provides insights into Palo Alto best practices. Here you go:
1. First of all, login to your Palo Alto Firewall and navigate to Device > Setup > Operations and click on Export Named Configuration Snapshot:
2. From the pop-up menu select running-config.xml, and click OK. Save the file to the desired location.
3. To export the Security Policies into a spreadsheet, please do the following steps:
a. Make a copy of the running-config.xml and rename it as policies.xml. We will use more copies of running.xml for more operations later.
b. Open the policies.xml in a notepad++, wordpad, editpadlite kind of editor. Avoid normal notepad. If you don’t have notepad++ or editpadlite, use wordpad (inbuilt in your windows).
c. Search for a keyword <security> including the < and > character:
d. Delete all the text before the tag <security>
e. Search for a keyword </security> including the < and > character:
f. Delete all the text after the tag </security>
g. Now do a find and replace option for keyword <member>, replace <member> with blank (nothing)
h. Now similarly do a find and replace option for keyword </member>, replace
</member> with blank (nothing)
i. Save the file and close it.
j. Open a new Excel Spreadsheet and click on MenuBar DATA > From Other Sources > From XML Data import.
k. From the pop-up window, browse and select the policies.xml file. Click on Open, then click OK and then again click OK.
l. There you go, you have all your policies in a spreadsheet.
m. If you see some alignment issue in the cells, quickly press Ctrl+h (find and replace operation), and replace “ “ (space) with blank(nothing) as below:
n. You will see your policies in an excellent and formatted table.
4. To export AddressObjects , create a copy of running-config.xml and save it as address.xml.
a. Open interfaces.xml and search for tag <address> and delete all the text before this tag.
b. Similarly search for </address> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.
5. To export Address-Groups, create a copy of running-config.xml and save it as address-group.xml.
a. Open interfaces.xml and search for tag <address-group> and delete all the text before this tag.
b. Similarly search for </address-group> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.
6. To export PBF policies, create a copy of running-config.xml and save it as pbf.xml.
a. Open interfaces.xml and search for tag <pbf> and delete all the text before this tag.
b. Similarly search for </pbf> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.
7. To export interfaces, create a copy of running-config.xml and save it as interfaces.xml.
a. Open interfaces.xml and search for tag <interface> and delete all the text before this tag.
b. Similarly search for </interface> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.
8. To export Zones, create a copy of running-config.xml and save it as zones.xml.
a. Open interfaces.xml and search for tag <zone> and delete all the text before this tag.
b. Similarly search for </zone> delete all the text after this tag.
c. Save it and repeat steps j,k,l from Policies section.
Check out our top support for Palo Alto Network NGFW. We have automated the world’s best practices to prevent costly disruptions. We can automatically diagnose commonly found problems and recommend fixes. Take a look at this example of how we ensure continuous log collection for your firewall.
Rohit Singla is a Security Consultant. He has been working with Palo Alto Network firewalls for about seven years. If you want to contribute as well, click here.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.