dag-to-sag converter #795
Description
Describe the Problem
I'm an Resident Engineer at Palo and working on an config size issue. Large-scale Panorama deployments often rely on Dynamic Address Groups (DAGs) for automation. Address objects are heavily tagged so they can be dynamically included in DAGs. However, many security policies still reference the underlying tagged address objects directly, instead of using static address groups. This results in:
- Redundant
<tag>XML blocks on each address object - Configuration bloat
- Long commit, export, and validation times
- Difficulty auditing or interpreting security rules
In the client's environment, many address objects carry between 1–64 tags, which are reused heavily. Security policies often reference these objects directly, causing massive duplication in the XML configuration — despite DAGs already existing to capture them dynamically.
Describe the Solution You'd Like
We are requesting an offline-compatible CLI utility (or Panorama-native feature) that can be run against a PAN-OS XML configuration to do the following:
🔁 DAG-Based Static Group Conversion
For each Dynamic Address Group (DAG) in a specified Device Group:
- Parse the DAG’s match filter (e.g.,
'long_unique_name_TagName-src') - Identify all address objects that match the DAG filter based on their assigned tags
- Create static address groups to represent these objects:
- Group names should follow the format:
<DAGNAME>-SAG01<DAGNAME>-SAG02- ...
- Up to
-SAG99if needed
- Each group must contain no more than 1000 address objects
- If >1000 objects match a DAG, multiple groups must be created automatically
- Group names should follow the format:
- Update security policies in the same Device Group:
- Add the newly created address group(s) to the
sourceand/ordestinationfields if a matching address object is already present - Do not remove existing address objects (whether tagged or untagged)
- Do not modify the rule’s
<tag>metadata — these tags may be used for rule classification, visibility, or logging integrations
- Add the newly created address group(s) to the
- Preserve DAGs and tags:
- Do not alter or delete DAG definitions or tag objects
- These must remain in place to support dynamic onboarding and future automation
- Optionally strip the tag from matched address objects — but only if
strip=trueis provided
Note: We will be using this option.
CLI Interface (Suggested)
| Argument | Description |
|---|---|
in= |
Input XML config file (offline mode) |
out= |
Output XML config with changes applied |
location= |
Device Group to process |
replace=true |
Add matching static address groups to rules (non-destructive) |
strip=true |
Remove the matched tag from address objects after group assignment |
dryrun=true |
Preview actions only, no modifications applied |
csvout= |
Output a CSV summary of DAG-to-group mappings and rule updates |
Describe Alternatives You've Considered
-
Custom
pan-os-phpscripting
I've attempted this but the complexity required to scale this across 150K+ objects exceeds my scripting knowledge. -
Manual GUI export and filtering
This approach is completely unscalable and error-prone. It would require hours of repetitive steps and provide no guarantees of accuracy. -
Accepting the current configuration bloat
This leads to:- Commit and load times exceeding 30–40 minutes
- A 100MB+ config file that takes 30–40 minutes to run basic scripts or validation
- Excessive tag parsing time across the CLI and GUI
-
pan-os-python
This library appears to be API-only. Implementing this logic over the API would take weeks and could not be performed safely without halting automation — something we cannot do during this transition.
I can create a ticket on support.paloaltonetworks.com with the files. (to large/many to upload here)