05-14-2024 12:16 PM - edited 05-14-2024 12:17 PM
Hello!
I have been trying to migrate from Junos to a PA-5450 running PanOS v10.2.6 with Panorama v10.2.6-h3, although hopefully the version and model have nothing to do with this.
I keep ending up with a single hidden "invalid" Service.
I say "hidden" because when I click on the "1" saying I have an invalid service nothing shows.
After 10 or so iterations even working with my Resident Engineer, I realized that even when we just pull in the Palo configuration so that we can export to it, the Palo configuration has zero services or rules in it, and the only 3 services in Expedition are:
I still get a listing that says 1 invalid service. These are predefined services that apparently Expedition creates for itself, but still marks one as invalid. The only thing I can think is that it doesn't like "application-default" because of the port 0, but if it doesn't like it it shouldn't create it.
Does anyone know of a workaround? Some way to edit or fix or delete the invalid service?
I'm literally considering reinstalling the Ubuntu 16 .iso file and seeing if an older version is willing to play nice. I'd try the Expedition v2 Beta, but I was warned both by someone in the Beta team and by my Resident Engineer that it "isn't really ready for production migrations" and I have 150+ Juniper Logical Systems to migrate to Palo.
Thanks,
Eric
05-15-2024 02:47 AM
Hi @Eric_Troldahl ,
05-15-2024 05:01 PM
This is the only big issue I currently have. I haven't been able to get an export, so I haven't been able to look at what comes in to Panorama from the load partial commands when I load in the addresses & groups, Services & groups, and Security Rules.
If you are saying that Expedition should still allow me to export, then yes, I am having an issue. When I tried to copy from the left to the right pane in the Export Window, Security Rules flash momentarily on the right window and then disappear. My resident engineer was relatively sure it was the invalid service that was stopping us from moving the data.
Regards,
Eric
05-16-2024 12:36 AM
The invalid services should not be the issue to get the export. Maybe there's another one.
To troubleshoot this issue:
1) Please make sure you are following the drag and drop mapping defined on the attached screenshots (FW and Panorama mappings).
2) After doing the drag and drop click on merge and check the file /tmp/error. If there's any error it will be included in this file.
3) Then execute the generate XML and set Output. Again check the file /tmp/error for any issue in the process.
Let me know your findings and if needed we can jump into a quick call (request it using the fwmigrate@paloaltonetworks.com)
Hope this helps,
David
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
