Extracting IP Addresses from Palo Alto Configs: A Technical Guide
Palo Alto firewalls store configuration in XML format. Here's exactly what SimpleIPAM extracts and how the XML structure maps to useful IP address information.
Getting Your Palo Alto Config
First, export your running configuration. You have two options:
Via GUI:
Navigate to Device → Setup → Operations
Click "Export named configuration snapshot"
Select "running-config.xml"
Save the downloaded XML file
Via CLI:
> show config running
Copy the output and save as an .xml file.
Palo Alto XML Structure
Unlike FortiGate's text-based config, Palo Alto uses hierarchical XML. The structure follows this pattern:
<config>
<devices>
<entry name="localhost.localdomain">
<vsys>
<entry name="vsys1">
<address>
<!-- Address objects here -->
</address>
<address-group>
<!-- Address groups here -->
</address-group>
</entry>
</vsys>
<network>
<interface>
<!-- Interfaces here -->
</interface>
<virtual-router>
<!-- Routes here -->
</virtual-router>
</network>
</entry>
</devices>
</config>
1. Address Objects
Address objects are the building blocks of your firewall policies. They're stored under each vsys:
<address>
<entry name="Web-Server-01">
<ip-netmask>10.1.1.100/32</ip-netmask>
<description>Production web server</description>
<tag>
<member>Production</member>
</tag>
</entry>
<entry name="Internal-Network">
<ip-netmask>10.0.0.0/8</ip-netmask>
</entry>
<entry name="Partner-DNS">
<fqdn>dns.partner.com</fqdn>
</entry>
<entry name="IP-Range-DHCP">
<ip-range>192.168.1.100-192.168.1.200</ip-range>
</entry>
</address>
What SimpleIPAM extracts:
Name: The object identifier from the entry name attribute
Type: ip-netmask (host or subnet), ip-range, or fqdn
Value: The IP address, CIDR, range, or domain
Description: Documentation text if present
Tags: Organizational labels
vsys: Which virtual system contains this object
2. Address Groups
Groups reference address objects by name:
<address-group>
<entry name="Web-Servers">
<static>
<member>Web-Server-01</member>
<member>Web-Server-02</member>
<member>Web-Server-03</member>
</static>
<description>All production web servers</description>
</entry>
<entry name="All-Internal">
<static>
<member>Internal-Network</member>
<member>VPN-Users</member>
</static>
</entry>
</address-group>
What SimpleIPAM extracts:
Group name
Member list: All referenced address objects
Member count
Type: Static (explicit members) or dynamic (tag-based)
Description
3. Network Interfaces
Interfaces are defined in the network section:
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ip>
<entry name="203.0.113.1/30"/>
</ip>
</layer3>
<comment>WAN Interface</comment>
</entry>
<entry name="ethernet1/2">
<layer3>
<ip>
<entry name="10.1.1.1/24"/>
</ip>
<interface-management-profile>Allow-Ping</interface-management-profile>
</layer3>
<comment>LAN Interface</comment>
</entry>
</ethernet>
<loopback>
<entry name="loopback.1">
<ip>
<entry name="10.255.255.1/32"/>
</ip>
</entry>
</loopback>
</interface>
</network>
What SimpleIPAM extracts:
Interface name: ethernet1/1, loopback.1, tunnel.1, etc.
IP address with CIDR
Interface type: Ethernet, loopback, tunnel, VLAN
Comment/description
Zone assignment (from zone configuration)
4. Static Routes
Routes are defined in virtual-router configuration:
<virtual-router>
<entry name="default">
<routing-table>
<ip>
<static-route>
<entry name="Default-Route">
<destination>0.0.0.0/0</destination>
<nexthop>
<ip-address>203.0.113.2</ip-address>
</nexthop>
<interface>ethernet1/1</interface>
<metric>10</metric>
</entry>
<entry name="Branch-Office">
<destination>10.2.0.0/16</destination>
<nexthop>
<ip-address>10.1.1.254</ip-address>
</nexthop>
<interface>ethernet1/2</interface>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
</virtual-router>
What SimpleIPAM extracts:
Route name
Destination network: CIDR notation
Next hop IP
Egress interface
Metric
Virtual router name
5. Security Zones
Zones group interfaces by trust level:
<zone>
<entry name="Trust">
<network>
<layer3>
<member>ethernet1/2</member>
<member>ethernet1/3</member>
</layer3>
</network>
</entry>
<entry name="Untrust">
<network>
<layer3>
<member>ethernet1/1</member>
</layer3>
</network>
</entry>
<entry name="DMZ">
<network>
<layer3>
<member>ethernet1/4</member>
</layer3>
</network>
</entry>
</zone>
6. NAT Rules
NAT rules map external to internal addresses:
<nat>
<rules>
<entry name="NAT-Web-Server">
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/1</interface>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
<to>
<member>Untrust</member>
</to>
<destination>
<member>any</member>
</destination>
<source>
<member>Web-Server-01</member>
</source>
</entry>
</rules>
</nat>
Handling Multi-vsys Configurations
If your Palo Alto uses multiple virtual systems, SimpleIPAM extracts data from each vsys separately and tags objects with their vsys context. This lets you see which virtual firewall owns each address object.
What We Don't Parse
SimpleIPAM focuses on IP address management. We intentionally skip:
Security policies: That's a different type of analysis
Service objects: TCP/UDP ports aren't relevant to IPAM
User-ID configuration: Not IP-related
Threat prevention profiles: Security profiles are out of scope
GlobalProtect settings: VPN config is separate from IP allocation
Try It With Your Config
Upload your Palo Alto config and see what we extract:
Works with PAN-OS 10.x and 11.x. No registration required.