https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519275#M4240 <P>Thanks <SPAN class="UserName lia-user-name lia-user-rank-L5-Sessionator lia-component-message-view-widget-author-username"><A id="link_19" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/38629" target="_self" aria-label="View Profile of lychiang"><SPAN class="">lychiang,</SPAN></A></SPAN></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-L5-Sessionator lia-component-message-view-widget-author-username"><SPAN class="">I was not familiar with default objects in the ASA until now. </SPAN></SPAN></P> <P><SPAN class="UserName lia-user-name lia-user-rank-L5-Sessionator lia-component-message-view-widget-author-username"><SPAN class="">One must perform a "show run all" on an ASA to see the default objects, which is where I found the default GRE object, as well as the default "echo" object. <BR /><BR />The last piece I am uncertain about which <SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><A id="link_7" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/169335" target="_self" aria-label="View Profile of AK74">AK74</A></SPAN> also asked, is why the used service object for ICMP was renamed to "discard".<BR />The service object configured in the ASA is just called "icmp". Not critical as we'll rename it anyway, but I'm still curious. <BR /><BR /><BR /></SPAN></SPAN></P> Wed, 26 Oct 2022 17:36:30 GMT Ifixtheinternet 2022-10-26T17:36:30Z https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/507888#M4064 <P>Hello there,</P> <P>&nbsp;</P> <P><SPAN>I am currently migrating my ASA 5585 to a Palo 5260 using Expedition tool. Everything on the dashboard has been rectified, except for few services that shows "invalid" and used .</SPAN></P> <P>&nbsp;</P> <P>I've noticed that Expedition has replaced "icmp" service in ASA to "discard"&nbsp;</P> <P>Does anyone know why is that ?</P> <P>&nbsp;</P> <P>Also, there're some invalid services such as (icmp-echo. icmp-echo-reply) but when I try to search/locate them, I don't see them under security policy but they're used in Object groups as shown below So, basically I need to convert them to Ping application as if they were used in security policy ?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AK74_0-1656972005482.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/42132i23D037E93CCFAD69/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AK74_0-1656972005482.png" alt="AK74_0-1656972005482.png" /></span></P> <P>Finally, I've got "esp" as invalid service but again it's located in an object group. So, how to correct it? replace it with an application (ipsec-esp) or service ?</P> <P><SPAN>Thanks</SPAN></P> <P>&nbsp;</P> Mon, 04 Jul 2022 23:17:14 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/507888#M4064 AK74 2022-07-04T23:17:14Z https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519261#M4237 <P>I have the same problem and question. </P> <P>In addition to those, I also have a service object showing up for "GRE", but there is no object in my ASA configured for GRE, or port 47, either individually or within any port range. So I'm not sure where that came from. <BR />They show unused, but I'd still like to understand why they were generated. <BR />I'm wondering if there's any way to display in Expedition what object / config line in the ASA that Expedition referred to in order to create the objects. <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3_Invalid_Service_objects_5585i.png" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44900iBDEB08DCD9AEE5FA/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="3_Invalid_Service_objects_5585i.png" alt="3_Invalid_Service_objects_5585i.png" /></span></P> Wed, 26 Oct 2022 16:27:29 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519261#M4237 Ifixtheinternet 2022-10-26T16:27:29Z https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519265#M4238 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/236599">@Ifixtheinternet</a>&nbsp;Those are default service protocol from your cisco asa config, if it's red dot , means it's not being used in any group object or policies.&nbsp;</P> Wed, 26 Oct 2022 16:34:42 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519265#M4238 lychiang 2022-10-26T16:34:42Z https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519275#M4240 <P>Thanks <SPAN class="UserName lia-user-name lia-user-rank-L5-Sessionator lia-component-message-view-widget-author-username"><A id="link_19" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/38629" target="_self" aria-label="View Profile of lychiang"><SPAN class="">lychiang,</SPAN></A></SPAN></P> <P>&nbsp;</P> <P><SPAN class="UserName lia-user-name lia-user-rank-L5-Sessionator lia-component-message-view-widget-author-username"><SPAN class="">I was not familiar with default objects in the ASA until now. </SPAN></SPAN></P> <P><SPAN class="UserName lia-user-name lia-user-rank-L5-Sessionator lia-component-message-view-widget-author-username"><SPAN class="">One must perform a "show run all" on an ASA to see the default objects, which is where I found the default GRE object, as well as the default "echo" object. <BR /><BR />The last piece I am uncertain about which <SPAN class="UserName lia-user-name lia-user-rank-L1-Bithead lia-component-message-view-widget-author-username"><A id="link_7" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/169335" target="_self" aria-label="View Profile of AK74">AK74</A></SPAN> also asked, is why the used service object for ICMP was renamed to "discard".<BR />The service object configured in the ASA is just called "icmp". Not critical as we'll rename it anyway, but I'm still curious. <BR /><BR /><BR /></SPAN></SPAN></P> Wed, 26 Oct 2022 17:36:30 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519275#M4240 Ifixtheinternet 2022-10-26T17:36:30Z https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519297#M4241 <P>What version of Expedition tool are you using ?</P> Wed, 26 Oct 2022 22:45:40 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/correct-invalid-services-in-expedition/m-p/519297#M4241 AK74 2022-10-26T22:45:40Z