topic How are duplicate shared objects identified in Panorama? in Panorama Discussions

How are duplicate shared objects identified in Panorama?

MDroyKT — Thu, 20 Apr 2023 21:12:35 GMT

I know that when you migrate a firewall into Panorama and you keep the Import device's shared objects into Panorama's shared context box checked, this imports the firewall's objects as shared objects, unless there are duplicates. I'm wondering--how does Panorama identify any duplicates? Is it by the name of the object or other characteristics (such as the IP address itself)?

For example: If I have an Address Object on one firewall called "Server-DNS" with IP 8.8.8.8 and an Address Object on a different firewall called "DNS-Server" with the same IP 8.8.8.8, will it identify that as a duplicate? I'm assuming not, since you are able to have multiple Address Objects with the same IP, but would like to verify.

Thanks!

Re: How are duplicate shared objects identified in Panorama?

TomYoung — Fri, 21 Apr 2023 21:40:48 GMT

Hi @MDroyKT ,

I have imported multiple NGFW configs into Panorama, and the duplicates are always removed. I never thought about the specifics until now. Here is a doc that explains the process -> https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/plan-the-transition-to-panorama-management#id068490d9-66d8-4de4-8c7a-f6bd06b3153e_idedeb9d50-b4e0-475d-869d-5deccc7f8661. Look under the section "Plan how to manage shared settings." The rules are as follows:

If the name and value are the same, it is not imported.
If the name or value differs (assuming one name or value is the same?), the object is imported into the device group and not Shared.
If the object references a shared object or template on the NGFW, it is imported into Shared even if you didn't check the box.

I would love to hear what you find if you import objects with duplicate names and/or values.

Thanks,

Tom

Re: How are duplicate shared objects identified in Panorama?

MDroyKT — Mon, 24 Apr 2023 19:17:32 GMT

Thank you, Tom! It will likely be a few months at least before I get all our firewalls migrated (still in the planning phase for the first firewall migration) but I will make a note to comment back here on it once I do.

Thanks,

Michelle

Re: How are duplicate shared objects identified in Panorama?

swaschkut — Tue, 11 Jul 2023 08:13:39 GMT

for the mentioned example:

1) different object name but same value: "Server-DNS" with IP 8.8.8.8 and "DNS-Server" also with IP 8.8.8.8

there is nothing available directly on PAN-OS Firewall or Panorama; until now also not on the Strata Cloud Manager.

For all the mentioned Palo Alto Networks products you can use PAN-OS-PHP framework with predefined utilities to find and merge e.g. duplicate address objects by value.

The tool is also checking and correcting all places where the planned merged object is used and is replacing it with the object which will be kept.
https://github.com/PaloAltoNetworks/pan-os-php

also available as Docker Container:

docker run  --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:latest

more information about the specific address-merger utility:
https://github.com/PaloAltoNetworks/pan-os-php/wiki/type=address-merger

more predefined merger scripts available for:
- rule
- address-group
- service
- service-group
- tag
- custom-url-category

Re: How are duplicate shared objects identified in Panorama?

TomYoung — Tue, 11 Jul 2023 12:55:01 GMT

Thank you @swaschkut for the cool tool!

Expedition is also able to clean up the config via the API.

Re: How are duplicate shared objects identified in Panorama?

swaschkut — Wed, 30 Aug 2023 09:15:59 GMT

Panorama configurations with big config file size are hard to optimise.
Based on the feedback of Palo Alto Networks Professional Services engineers, you need to focus on which tool can be used,
to be successfully in a timely manner.

PAN-OS-PHP has an additional feature by optimise your configuration and based on the changes it is possible to provide "set commands",
which can be directly pasted into the Panorama / Firewall CLI.

This feature is needed for customers where a ChangeRequest must be up-front documented well with detailed change commands,
and of course where NO direct PAN-OS XML API access is possible.