topic Re: Shared rulebase to vsys in Expedition Discussions

Shared rulebase to vsys

sidetrack — Wed, 03 Apr 2019 12:24:52 GMT

I have ended up in a bit of an odd situation with an undesirable result 😕

In the process of importing CSV's from an unsupported source, I have ended up importing an entire rulebase into the "shared" VSYS of a standalone base firewall config. This might be OK for objects, or a rulebase in Panorama, but not a valid config for a standalone device.

To make matters worse, I have augmented the policy with a ton of new rules from a design document - mostly manual work. Many hours have gone into this and it's now ready to export to the target gateway.

Only one thing - there is no shared policy in the export (I guess because it's not a valid thing).

The policy can still be editied in config.xml -> shared, all I need is to move the rules to vsys1 or get them in the exported xml. I don't have time to build this rulebase again.

Help me @alestevez, you're my only hope!

Re: Shared rulebase to vsys

alestevez — Wed, 03 Apr 2019 15:57:19 GMT

you are right, you could cut the policy from shared and paste into the rulebase under vsys1 and that's it 🙂 Only check to do if there is a rulename duplicated after the paste 🙂

Re: Shared rulebase to vsys

sidetrack — Wed, 03 Apr 2019 23:05:42 GMT

Thanks @alestevez ! Unfortunately I am unable to cut and paste the rulebase in Expedition - ctrl-c / ctrl-v doesn't seem to work and there's no cut/paste in the rule context menus.

The Move button would be great if it supported move to a different rulebase like Panorama but it doesn't have the option.

Any other ideas?

Re: Shared rulebase to vsys

sjanita — Thu, 04 Apr 2019 06:38:43 GMT

Unless there is a bug in the version you are using, not sure how your security rules were imported to 'shared' as choosing that option will not import into the target config.

Per the attached screenshot you need to choose from the available vsys to import the security policies into.

Can you post a screenshot showing the security policies were added to shared?

Re: Shared rulebase to vsys

sidetrack — Thu, 04 Apr 2019 07:51:06 GMT

I'm running expedition-beta/unknown 1.1.11 amd64

I can replicate in an entirely new project, importing a VA base config (it can only have one vsys 🙂 )

It has existing rules in vsys1, but we'll demonstrate by importing a simple CSV into the shared vsys:

dns;trusted;dns-server;Internet;8.8.8.8;dns;permit

This won't work if no vsys is selected (all), the list pops up and you can select from shared and vsys1 - even though shared is not supported for Security Rules.

Import CSV, must select from shared or vsys1select shared (oops!)it worked...?here be the shared rule...unset base config, no shared policy to export 😞no shared policy in output (it's not exactly valid)

Re: Shared rulebase to vsys

sjanita — Thu, 04 Apr 2019 09:15:14 GMT

what you can do is reimport the security policies but choose 'vsys 1' as your target.

If you see those security policies in vsys 1, Then go back into the configuration and delete the rules listed in 'Shared'

Re: Shared rulebase to vsys

sidetrack — Thu, 04 Apr 2019 09:53:09 GMT

I was trying to avoid that 🙂

A good chunk of my rules were hand-rolled in Expedition, stupidly evolving this unusable policy.

I need a way to export these orphaned shared rules, if there was a way to move them from shared to vsys1. We can do the reverse (convert a rule in vsys1 to shared) but not the other way around.

Re: Shared rulebase to vsys

sjanita — Thu, 04 Apr 2019 10:10:01 GMT

Looking into it, will get back to you in a few mins

Re: Shared rulebase to vsys

sjanita — Thu, 04 Apr 2019 11:28:50 GMT

here's one option you can try:

Filter the display to display only the 'Shared' policies (bottom right hand selection choose 'Shared')

Choose 'Export to Excel' in the upper right hand corner menu

After opening in excel, save the file to CSV format and reimport (using the import CSV option) into vsys1

You will need to edit the CSV file and replace the commas with semi-colons which are the separators used by the CSV import

This will include any changes you had made to those security policies. You will also have to perform those same steps to any objects (Address, groups, services groups) that were moved into shared.

Re: Shared rulebase to vsys

sidetrack — Thu, 04 Apr 2019 11:40:32 GMT

Thanks for the tip sjanita!

Looks like this is my only option, although the individual cells have carriage returns for multiple entries. I'm sure with a bit of NP++-fu I can whip this into shape 🙂

Re: Shared rulebase to vsys

sidetrack — Mon, 08 Apr 2019 05:49:01 GMT

@alestevez I'm considering trying to do this in the DB instead, if there's a way I can dump the table that contains the invalid 'shared' polciy and import it into the vsys1 table?

Any hints? 🙂

Matt