How to Import Palo Alto Networks Firewall Configurations into Panorama

Overview

This document describes how to manually import the policies of an existing Palo Alto Networks firewall into Panorama.  Addresses, address groups, services and policies will be imported so the same policies can be applied to other firewalls that are managed by Panorama.

Assumptions

• You have a PAN firewall that has a configuration on it.
• An instance of Panorama is up and running with the same version of PAN-OS (or higher).
• You have Web and CLI administrator access to both the firewall and Panorama.

Steps

1. You will need a device group on Panorama. The policies will be imported into this device group. If you do not already have a device group created for this purpose, use the Panorama GUI to create one.  There is no need to assign any devices to this group at the moment. Here is an example group:

   

   If you created a new group, commit the change in Panorama.

2. SSH to the firewall whose configuration is to be imported. Once in the firewall, configure the CLI to present its output in set format by issuing the command:

   set cli config-output-format set

   Then go to into configuration mode.  Here is an example:

   

3. When converting an existing firewall configuration via the set commands into Panorama, you are going to need to address different parts of the configuration in order.  The following are converted one at a time.  As of PAN-OS 3.1.7, the order follows the flow shown below.

   Item	CLI Command
   Address	show address
   Address Groups	show address-group
   Services	show service
   Service Groups	show service-group
   Log Settings	show shared log settings
   Server Profile	show shared server-profile
   Application	show application
   Application Filters	show application-filter
   Application Groups	show application-group
   Application Override	show rulebase application-override
   Security Profiles	show profiles
   Security Rules	show rulebase security rules

   
   

   Importing Address Objects
   Show, convert, and import address objects from the firewall into Panorama.
   
   

4. On the firewall, issue the command: show address

   to display all address objects.  Your output should look similar to this:

   

5. Copy all of the addresses set commands to a text file.
6. Once your addresses are in a text file, we will perform a search and change set address to set shared address.

   

   Once you have replaced all instances of this, your set objects from the firewall should look like:

   

7. SSH to the target Panorama server.  To be able to enter multiple commands at one time, you will need to turn on scripting-mode in Panorama. Set the CLI to scripting-mode, and enter config mode:

   set cli scripting-mode on

   configure

   

8. Copy the modified set commands from the text file and paste them at the Panorama command prompt:

   

   Make sure you do not see “invalid syntax” errors.  If you cannot paste multiple lines at a time, you may need to experiment with different ssh programs/different operating systems.

   
   

   Note: In scripting-mode, auto-complete is not enabled. Thus if you need to check the syntax of a command, you will need to disable scripting mode, test the command, then re-enable scripting mode.

9. In the Panorama GUI, go to the Objects tab > Addresses screen, and confirm you can see the imported addresses there.  Make sure all your address objects were imported.

   
   

   Importing Address Groups, Services, etc.
   
   

10. Conversion of other components is performed in the same way.  Examine the second column below. Execute each command on the firewall, copy the output to your text file, edit your text file, then copy those new commands into Panorama.

    
    

    Note: When doing this make sure whatever editor you are cutting and pasting into does not mistakenly cut command lines where they were wrapped in the console.  If you get invalid syntax warnings, check your input to see if there were any set commands which were chopped during the copying process.

    Policy Component	Show Command	Search Text	Replace Text
    	Show command	Search Text	Replace Text
    Address	show address	set address	set shared address
    Address Groups	show address-group	set address-group	set shared address-group
    Services	show service	set service	set shared service
    Service Groups	show service-group	set service-group	set shared service-group
    Log Settings	show shared log-settings	N/A	N/A
    Server Profile	show shared server-profile	N/A	N/A
    Application	show application	set application	set shared application
    Application Filters	show application-filter	set application-filter	set shared application-filter
    Application Groups	show application-group	set application-group	set shared application-group
    Application Override	show rulebase application-override	set rulebase application-override	set device-group <device group> pre-rulebase application-override

    
    

    STOP once you get to the copying of the security rulebase into Panorama.

    Importing the Security Rulebase

    
    

11. Before importing the security policies, you need to disable logging to Panorama. On the firewall, either modify your log forwarding profile to remove Panorama, or edit each security policy and set the log forwarding profile to none:

    

12. If you just modified your firewall configuration, commit your changes.
13. On the firewall, issue the command:

    show rulebase security rules

    Copy and paste all of the security rules to a text document.  Review the commands to make sure there are no incorrect carriage returns -- those will cause you to import invalid data and possibly create erroneous rules.

14. In the text file, do a search and replace, making sure to use your device group name from step 1:
    • SEARCH: set rulebase security rules
    • REPLACE: set device-group <device group name> pre-rulebase security rules
      Note: The above replace string assumes that you want to import the policies into your security pre-rulebase.
15. Cut and paste these rules into the Panorama CLI. Initially, cut and paste the very first command, then cut and paste all commands associated with the first rule. This way you can monitor for errors. Once you have a few commands successfully entered, enter the commands in bulk. Once you enter all the commands successfully, you should be able to see your policies in the pre-rulebase for your particular device group.
16. PAN-OS 5.x: Network and device templates were introduced for Panorama in PAN-OS 5.0. In order to import the firewall config into Panorama, please make sure that the Templates are configured in advance with the respective devices added into each template with their configurations (multi-vsys, operational-mode, vpn-disable-mode) in place.
    For example, to import an interface config run the command: show network interface. Search for set network and replace it with set template (name of the template) config. Conversion for some of the main components are shown below:
    

    Component	Show Command	Search Text	Replace Text
    Network	#show network interface	#set network	#set template (template name) config network
    Device config	#show deviceconfig	#set deviceconfig	#set template (template name) config deviceconfig

17. To turn off scripting mode:
    set cli scripting-mode off
18. Commit this config in Panorama.

At this point, the firewall policies have been imported and additional firewalls can be added to this device group. Also, these pre-rules can be applied to the newly added firewalls.

owner: gmaxwell