topic Re: Expedition API when migrating Checkpoint to VSYS - zone issues in Expedition Discussions

Expedition API when migrating Checkpoint to VSYS - zone issues

FilipElsen.Proximus — Tue, 16 Oct 2018 12:46:59 GMT

Hi,

I'm having a project for migrating several Checkpoint clusters to Palo Alto Vsys.

I'm using Expedition version: 1.0.106 (the issue also resides in earlier versions).

I'm hitting an issue when migrating the zones.

1.Interfaces, virtual router and zones will be directly configured on the related gateway using API.

2.Security policy and NAT will be loaded into the Panorama's specific devicegroup.

The issues is at stage 1.

>migrating and configuring the interfaces using API works fine.

>migrating and configuring the VR using the API works fine.

>However the migration of zones isn't working at all.

The zones (L3) has an interface associated which is also migrated and for which the creation (by API) worked out fine.

The API error output:

{"6":{"device":"UTRFWONE5","status":"fail","text":"<msg><line><![CDATA[ zone -> Zone27 -> network -> layer3 \\'ae2.313\\' is not a valid reference]]><\/line><line><![CDATA[ zone -> Zone27 -> network -> layer3 is invalid]]><\/line><\/msg>","date":"2018-10-16 05:51:22"}}

I confirm in the situation above the interface: ae2.313 has been successfully configured using API.

=> Only when you detach all interfaces from ALL zones, export the config - merge - generate API cmds - send API cmds the zones are created.

Couple remarks:

-Interfaces can be mapped (manually) to the correct VSYS in the Expedition tool.

-Virtual routers cannot be mapped to a VSYS in the Expedition tool.

-Zones cannot be mapped to a VSYS in the Expedition tool, but within the zone view you can select an extra column: vsys.

.... but it cannot be edited?

Would be good to have a solution on this one....

Thanks a lot,

Filip ElsenAPI callsConfig merge

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

alestevez — Fri, 19 Oct 2018 13:59:16 GMT

Hi,

Im not sure if I understand the problem....

Have you clicked on MERGE after the drag and drop?

Then from the PANOS config you can go to DEVICE - VIRTUAL SYSTEM and attach the VR and Interfaces there. The same from the Zones itself you can assign to the VSYS...

What is exactly the problem you are facing?

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

FilipElsen.Proximus — Fri, 19 Oct 2018 14:04:58 GMT

Hi,

Yes, the config has been merged.

The issue is that when using the API to sent the network config towards the gateway (Pa5250), the subinterfaces, virtual router and routes get created, but the zones not.

The zones only get pushed towards the gateway if all interfaces are detached from it, prior to performing a merge.

Best regards,

Filip

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

FilipElsen.Proximus — Mon, 19 Nov 2018 12:28:36 GMT

Hi, any update on this one?

Thanks,

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

FilipElsen.Proximus — Mon, 19 Nov 2018 12:32:51 GMT

Interfaces are correcly created on the gateway using the API.

Routes are correctly created on the gateway using the API.

For every zone within the configuration, I'm receiving the output as shown below:

The API error output:

All interfaces are L3, created earlier and have a correct ipv4 associated.

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

alestevez — Mon, 19 Nov 2018 14:07:03 GMT

Have you send the Interfaces first?

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

FilipElsen.Proximus — Fri, 07 Dec 2018 08:45:27 GMT

Yes, sure. These are created using API.

Only the zone(s) - all of them - are causing issues.

Has this been validated, tested?

Thanks a lot,

Filip

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

sjanita — Mon, 10 Dec 2018 01:43:02 GMT

I was able to recreate your issue and will file a report for review:

Workaround - to send the config via API calls to Panorama

-send the interfaces, ethernet and aggregate interfaces first

-send the zones (remove the AE interface first from the zone)

-on panorama edit the zone and add the AE as a member

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

sjanita — Mon, 10 Dec 2018 03:53:48 GMT

after more testing and debugging found the issue is with PanOS and not with the API request being generated by Expedition.

This only applies to AE interfaces being added to a security zone.

Workaround:

Assumption is that the AE configuration has been completed in Expedition

From the API output manager

-send the interfaces

-send the virtual router

-remove the AE from the security zone

-send the zone

Transition to Panorama and add the AE to the appropriate security zone

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

FilipElsen.Proximus — Fri, 01 Feb 2019 12:05:56 GMT

Thanks for the update.

I'll try the proposed steps and will come back asap.

What's the ETA?

Thanks a lot,

Filip

Re: Expedition API when migrating Checkpoint to VSYS - zone issues

FilipElsen.Proximus — Fri, 08 Feb 2019 10:16:33 GMT

Hi,

I've just tested the proposed approach using API:

From the API output manager

-send the interfaces

-send the virtual router

-remove the AE from the security zone

-send the zone

=> This is working indeed.

As mentioned, the Interface / Zone mapping is required to be performed manually when the config is loaded onto the device.

After the config was loaded via API (subint, vrouter and zone) I tried to get around the "zone to interface mapping" by:

-Performing a commint on the FW

-Re-import the device running config into Expedition

-Loading the project configuration with the (pre-zone cleanings / thus containing the zone & interface mappings)

-Export and Merge only the zone config. (the rest is already onn the device, only the zone to interface mapping is missing).

-Generate the API commands

-....but it fails in the same way.

{"21":{"device":"UTRFWONE5","status":"fail","text":"<msg><line><![CDATA[ zone -> Zone27 -> network -> layer3 \\'ae2.313\\' is not a valid reference]]><\/line><line><![CDATA[ zone -> Zone27 -> network -> layer3 is invalid]]><\/line><\/msg>","date":"2019-02-08 04:07:35"}}

Best regards,

Filip