SimpleIPAMExtracting IP Addresses from Palo Alto Configs: A Technical Guide
Palo Alto firewalls store configuration in XML format. Here's exactly what SimpleIPAM extracts and how the XML structure maps to useful IP address information.
Getting Your Palo Alto Config
First, export your running configuration. You have two options:
Via GUI:
- Navigate to Device → Setup → Operations
- Click "Export named configuration snapshot"
- Select "running-config.xml"
- Save the downloaded XML file
Via CLI:
> show config running
Copy the output and save as an .xml file.
Palo Alto XML Structure
Unlike FortiGate's text-based config, Palo Alto uses hierarchical XML. The structure follows this pattern:
<config>
<devices>
<entry name="localhost.localdomain">
<vsys>
<entry name="vsys1">
<address>
<!-- Address objects here -->
</address>
<address-group>
<!-- Address groups here -->
</address-group>
</entry>
</vsys>
<network>
<interface>
<!-- Interfaces here -->
</interface>
<virtual-router>
<!-- Routes here -->
</virtual-router>
</network>
</entry>
</devices>
</config>1. Address Objects
Address objects are the building blocks of your firewall policies. They're stored under each vsys:
<address>
<entry name="Web-Server-01">
<ip-netmask>10.1.1.100/32</ip-netmask>
<description>Production web server</description>
<tag>
<member>Production</member>
</tag>
</entry>
<entry name="Internal-Network">
<ip-netmask>10.0.0.0/8</ip-netmask>
</entry>
<entry name="Partner-DNS">
<fqdn>dns.partner.com</fqdn>
</entry>
<entry name="IP-Range-DHCP">
<ip-range>192.168.1.100-192.168.1.200</ip-range>
</entry>
</address>What SimpleIPAM extracts:
- Name: The object identifier from the entry name attribute
- Type: ip-netmask (host or subnet), ip-range, or fqdn
- Value: The IP address, CIDR, range, or domain
- Description: Documentation text if present
- Tags: Organizational labels
- vsys: Which virtual system contains this object
2. Address Groups
Groups reference address objects by name:
<address-group>
<entry name="Web-Servers">
<static>
<member>Web-Server-01</member>
<member>Web-Server-02</member>
<member>Web-Server-03</member>
</static>
<description>All production web servers</description>
</entry>
<entry name="All-Internal">
<static>
<member>Internal-Network</member>
<member>VPN-Users</member>
</static>
</entry>
</address-group>What SimpleIPAM extracts:
- Group name
- Member list: All referenced address objects
- Member count
- Type: Static (explicit members) or dynamic (tag-based)
- Description
3. Network Interfaces
Interfaces are defined in the network section:
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ip>
<entry name="203.0.113.1/30"/>
</ip>
</layer3>
<comment>WAN Interface</comment>
</entry>
<entry name="ethernet1/2">
<layer3>
<ip>
<entry name="10.1.1.1/24"/>
</ip>
<interface-management-profile>Allow-Ping</interface-management-profile>
</layer3>
<comment>LAN Interface</comment>
</entry>
</ethernet>
<loopback>
<entry name="loopback.1">
<ip>
<entry name="10.255.255.1/32"/>
</ip>
</entry>
</loopback>
</interface>
</network>What SimpleIPAM extracts:
- Interface name: ethernet1/1, loopback.1, tunnel.1, etc.
- IP address with CIDR
- Interface type: Ethernet, loopback, tunnel, VLAN
- Comment/description
- Zone assignment (from zone configuration)
4. Static Routes
Routes are defined in virtual-router configuration:
<virtual-router>
<entry name="default">
<routing-table>
<ip>
<static-route>
<entry name="Default-Route">
<destination>0.0.0.0/0</destination>
<nexthop>
<ip-address>203.0.113.2</ip-address>
</nexthop>
<interface>ethernet1/1</interface>
<metric>10</metric>
</entry>
<entry name="Branch-Office">
<destination>10.2.0.0/16</destination>
<nexthop>
<ip-address>10.1.1.254</ip-address>
</nexthop>
<interface>ethernet1/2</interface>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
</virtual-router>What SimpleIPAM extracts:
- Route name
- Destination network: CIDR notation
- Next hop IP
- Egress interface
- Metric
- Virtual router name
5. Security Zones
Zones group interfaces by trust level:
<zone>
<entry name="Trust">
<network>
<layer3>
<member>ethernet1/2</member>
<member>ethernet1/3</member>
</layer3>
</network>
</entry>
<entry name="Untrust">
<network>
<layer3>
<member>ethernet1/1</member>
</layer3>
</network>
</entry>
<entry name="DMZ">
<network>
<layer3>
<member>ethernet1/4</member>
</layer3>
</network>
</entry>
</zone>6. NAT Rules
NAT rules map external to internal addresses:
<nat>
<rules>
<entry name="NAT-Web-Server">
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/1</interface>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
<to>
<member>Untrust</member>
</to>
<destination>
<member>any</member>
</destination>
<source>
<member>Web-Server-01</member>
</source>
</entry>
</rules>
</nat>Handling Multi-vsys Configurations
If your Palo Alto uses multiple virtual systems, SimpleIPAM extracts data from each vsys separately and tags objects with their vsys context. This lets you see which virtual firewall owns each address object.
What We Don't Parse
SimpleIPAM focuses on IP address management. We intentionally skip:
- Security policies: That's a different type of analysis
- Service objects: TCP/UDP ports aren't relevant to IPAM
- User-ID configuration: Not IP-related
- Threat prevention profiles: Security profiles are out of scope
- GlobalProtect settings: VPN config is separate from IP allocation
Try It With Your Config
Upload your Palo Alto config and see what we extract:
Works with PAN-OS 10.x and 11.x. No registration required.
Tagged: palo-alto, parsing, technical, xml