I would like to get a list of all the zones in all the templates in a panorama config which do not have an interface assigned to them. I am working with a config where a large migration was performed. This migration had multiple firewalls merged and interfaces consolidated, but many un-needed zones were left in the config as a result of this. These zones are referenced in policy but do not have any interfaces assigned to them, so I would like to remove these "dummy" zones from all policy and delete them from the config. Currently there is no filter to do this in type=zone.
I would like a filter added to the type=zone util, possibly nested under the "object" context, which checks for the existence of an interface assigned to the zone. A simple filter such as 'filter=(object has.interface)' should do the trick, because of the inverse filter logic native to pan-os-php. I could use 'filter=!(object has.interface)' to get the opposite effect.
Describe alternatives you've considered
Currently, I just exported the zones from the templates in question to a CSV file and highlighted all the ones that do not have interfaces. I copied these out to a text file so I can make a big filter for type=rule so I can remove the zones. The above feature request would make it easier to get a list of interface-less zones.
Additional context
Panorama config has thousands of firewall rules spread across multiple device groups. Customer wants these dummy zones gone because it clutters the drop-down menus when selecting zones when making new rules through the GUI.
swaschkut
commented
1 year ago
Is your feature request related to a problem?
I would like to get a list of all the zones in all the templates in a panorama config which do not have an interface assigned to them. I am working with a config where a large migration was performed. This migration had multiple firewalls merged and interfaces consolidated, but many un-needed zones were left in the config as a result of this. These zones are referenced in policy but do not have any interfaces assigned to them, so I would like to remove these "dummy" zones from all policy and delete them from the config. Currently there is no filter to do this in type=zone.
Describe the solution you'd like
I would like a filter added to the type=zone util, possibly nested under the "object" context, which checks for the existence of an interface assigned to the zone. A simple filter such as
'filter=(object has.interface)'should do the trick, because of the inverse filter logic native to pan-os-php. I could use 'filter=!(object has.interface)' to get the opposite effect.Describe alternatives you've considered
Currently, I just exported the zones from the templates in question to a CSV file and highlighted all the ones that do not have interfaces. I copied these out to a text file so I can make a big filter for type=rule so I can remove the zones. The above feature request would make it easier to get a list of interface-less zones.
Additional context
Panorama config has thousands of firewall rules spread across multiple device groups. Customer wants these dummy zones gone because it clutters the drop-down menus when selecting zones when making new rules through the GUI.