https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/245312#M973 <P><FONT face="helvetica">This is a good question.</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">When checking the BPA, the checks are done on the&nbsp; base-config selected for the project. Probably you have the Panorama config defined as a base-config.</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">In your case, I understand you would like to check the BPA for the merged configuration, which it is neither the Panorama nor the FWs configs. </FONT></P> <P><FONT face="helvetica">In that case, that is a tricky one, because what you could do is to retrieve the merged config from the FW, set it as a base-config, and apply the BPA to&nbsp;<STRONG>see&nbsp;what</STRONG> you should modify in the Panorama config (obviously, you do not want to apply changes into the merged, as it is read-only&nbsp;config that results of merging the Panorama and FW configs).</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">We will internally check with the Customer Success team, who is the one that developed the BPA module that we use in Expedition, in order to see if they have any other approach for this challenge.</FONT></P> Wed, 09 Jan 2019 11:36:35 GMT dgildelaig 2019-01-09T11:36:35Z https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/245286#M966 <P>I'm having some trouble with Best Practices analysis and hoping someone here can confirm the functionality.</P> <P>&nbsp;</P> <P>I have many devices managed by Panorama.&nbsp; Their configuration is built through a combination of some local device configuration and&nbsp;policies, plus settings from templates and device groups in Panorama.&nbsp; I've imported all devices including Panorama into a project, but when I run the Best Practices analysis it seems to only consider the Panorama config.&nbsp; I don't see the settings or policies from the local device&nbsp;configs in the analysis results.</P> <P>&nbsp;</P> <P>I believe this worked for me in the past, perhaps there is some trick I'm just forgetting.&nbsp; I've tried toggling through devices in the bottom toolbar but it seems to have no effect when on the Best Practices tab.&nbsp; Can anyone else confirm if BPA is working for them with a combination of Panorama and local device configurations?</P> <P>&nbsp;</P> <P>Expedition 1.1.2 / BP 3.6.3</P> Tue, 08 Jan 2019 23:39:57 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/245286#M966 cchaffee 2019-01-08T23:39:57Z https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/245312#M973 <P><FONT face="helvetica">This is a good question.</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">When checking the BPA, the checks are done on the&nbsp; base-config selected for the project. Probably you have the Panorama config defined as a base-config.</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">In your case, I understand you would like to check the BPA for the merged configuration, which it is neither the Panorama nor the FWs configs. </FONT></P> <P><FONT face="helvetica">In that case, that is a tricky one, because what you could do is to retrieve the merged config from the FW, set it as a base-config, and apply the BPA to&nbsp;<STRONG>see&nbsp;what</STRONG> you should modify in the Panorama config (obviously, you do not want to apply changes into the merged, as it is read-only&nbsp;config that results of merging the Panorama and FW configs).</FONT></P> <P>&nbsp;</P> <P><FONT face="helvetica">We will internally check with the Customer Success team, who is the one that developed the BPA module that we use in Expedition, in order to see if they have any other approach for this challenge.</FONT></P> Wed, 09 Jan 2019 11:36:35 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/245312#M973 dgildelaig 2019-01-09T11:36:35Z https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/246827#M1029 <P>Unfortunately it seems even the merged configuration retrieved from the FW is not the full picture.&nbsp; It seems to be missing the security rules that come down from Panorama; only security rules that are defined locally show up in the merged config.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>It would be great if we could have&nbsp;a tool&nbsp;capable of running a comprehensive BPA on devices where the config is partly local and partly from Panorama.&nbsp; For now, I'm thinking it might be possible to run separate BPA's for&nbsp;the merged device config and the Panorama config, and then&nbsp;take&nbsp;the results from both to get a more complete picture.&nbsp; If there's a better approach, I'm definitely interested in hearing about it.</P> Mon, 21 Jan 2019 19:32:00 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/246827#M1029 cchaffee 2019-01-21T19:32:00Z https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/246967#M1036 <P>Are you sure?</P> <P>The merge config should show the result of merging both Panorama rules and Device rules, obviously, if the device is within the DeviceGroup defined in the Panorama.</P> Tue, 22 Jan 2019 15:20:01 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/246967#M1036 dgildelaig 2019-01-22T15:20:01Z https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/246993#M1039 <P>Yes, I'm pretty sure. I used the API to&nbsp;pull the merged config directly from the firewall, and it definitely does not include the security rules from Panorama.&nbsp; I get the same results from the cli command 'show config merged'.&nbsp; However, when I log into the device's web console, I can see all the rules that came from Panorama so I'm certain they're getting pushed to the device.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Btw, I can run 'show config pushed-shared-policy' on the firewall and all of the policy objects from Panorama are displayed.&nbsp; They just do not appear in the merged output.</P> Tue, 22 Jan 2019 17:42:29 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/246993#M1039 cchaffee 2019-01-22T17:42:29Z https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/247021#M1040 Weird. Which version of PANOS are you running?<BR />We would like to check as well on our device in our lab.<BR /><BR />My apologies for the typos, I am writing from my phone. Tue, 22 Jan 2019 19:38:24 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/247021#M1040 dgildelaig 2019-01-22T19:38:24Z https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/247022#M1041 <P>I’ve seen this behavior on devices running 8.0.13, 8.1.3 and 8.1.4.</P> Tue, 22 Jan 2019 21:09:55 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/247022#M1041 cchaffee 2019-01-22T21:09:55Z https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/255349#M1321 <P>I am currently running into the same problem on PanOS 9.0.</P> <P>&nbsp;</P> <P>Has this issue been resolved? If so, is there a KB that can be referenced?</P> Fri, 29 Mar 2019 02:28:25 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/bpa-on-multiple-devices-and-panorama/m-p/255349#M1321 scottatta 2019-03-29T02:28:25Z