https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-bugs/m-p/247068#M1043 <P>Version could have been 1.1.3 not 1.0.107</P> Wed, 23 Jan 2019 03:58:14 GMT sidetrack 2019-01-23T03:58:14Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-bugs/m-p/247067#M1042 <P>I stumbled across two potential bugs in Expedition 1.0.107 the other day, using&nbsp;it to&nbsp;merge&nbsp;duplicates and unused objects from a Panorama (8.1.5) config.</P> <P>&nbsp;</P> <P>1. Editing a config that originally contained over 10,000 objects (across different DGs) resulted in some shared objects being defined twice - this was after merging duplicate and removing unused objects, the config imported to Panorama would not commit and resulted in an error "objecet already exists". We found the object was defined twice in the shared candidate config:</P> <PRE>&nbsp; &lt;shared&gt; &nbsp; &nbsp; &lt;address&gt; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;entry name="test.com"&gt; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;fqdn&gt;test.com&lt;/fqdn&gt; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;/entry&gt; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;entry name="test.com"&gt; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;fqdn&gt;test.com&lt;/fqdn&gt; &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&lt;/entry&gt; &nbsp; &nbsp; &lt;/address&gt; &nbsp; &lt;/shared&gt;</PRE> <P><SPAN>And also defined twice within the shared config in the output from Expedition:</SPAN></P> <PRE>&lt;entry name="test.com"&gt;&lt;fqdn&gt;test.com&lt;/fqdn&gt;&lt;/entry&gt;&lt;snip/&gt;&lt;entry name="test.com"&gt;&lt;fqdn&gt;test.com&lt;/fqdn&gt;&lt;/entry&gt;</PRE> <P><SPAN>We couldn't manually remove the duplicates from the XML as there were at least two more if not hundereds of these duplicated entries. After some manipulation of the source XML I got the object count down to about 4,000 before merging duplicates in Expedition, after which the exported config was fine until we hit the next bug.</SPAN></P> <P>&nbsp;</P> <P><SPAN>2. Authentication rules failed to commit due to an invalid log-authentication-timeout. Appears&nbsp;</SPAN><SPAN>Expedition introduced this log-authentication-timeout setting with no values as it did not exist in the imported config and was not accepted by Panorama 8.1.5:</SPAN></P> <P>&nbsp;</P> <PRE>&nbsp;&lt;pre-rulebase&gt; &nbsp;&nbsp;&lt;authentication&gt; &nbsp;&nbsp;&nbsp;&nbsp;&lt;rules&gt;&lt;entry name="example"&gt;&lt;snip/&gt;&lt;log-authentication-timeout/&gt;&lt;timeout&gt;60&lt;/timeout&gt;&lt;snip/&gt;&lt;/entry&gt;&lt;/rules&gt; &nbsp;&nbsp;&lt;/authentication&gt; &nbsp;&lt;/pre-rulebase&gt;</PRE> <P><SPAN>The workaround was to remove the log-authentication-timeout entries in the XML.</SPAN></P> <P>&nbsp;</P> <P><SPAN><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/45">@aestevez</a>&nbsp;I can&nbsp;share the raw and optimised configs if you need.</SPAN></P> Wed, 23 Jan 2019 03:56:38 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-bugs/m-p/247067#M1042 sidetrack 2019-01-23T03:56:38Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-bugs/m-p/247068#M1043 <P>Version could have been 1.1.3 not 1.0.107</P> Wed, 23 Jan 2019 03:58:14 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-bugs/m-p/247068#M1043 sidetrack 2019-01-23T03:58:14Z https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-bugs/m-p/247116#M1047 <P>Yes, please. Share those with us at fwmigrate at paloaltonetworks dot com.</P> <P>We will take a look into it</P> Wed, 23 Jan 2019 10:45:12 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-bugs/m-p/247116#M1047 dgildelaig 2019-01-23T10:45:12Z