topic Re: Move/clone/copy from FW Local Policies to existing Device Groups in General Topics

Move/clone/copy from FW Local Policies to existing Device Groups

Metgatz — Thu, 26 Jan 2023 07:19:13 GMT

Clone or move FW Local Policies to Device Groups

Hello good afternoon, as always, thanks for the collaboration, time and good vibes.

I have the following question.

Due to bad practices some admins have made changes and added local policies.

The Firewall in HA has its device-groups where there are a large number of policies, ie most, almost 90% are via device groups, but there are 10% that created them locally.

So is there a way to take those local policies, clone them, move them, etc ?

So that you don't have to create them manually?

Thanks, I remain attentive

Best regards

Re: Move/clone/copy from FW Local Policies to existing Device Groups

aleksandar.astardzhiev — Sun, 29 Jan 2023 22:50:36 GMT

Hi @Metgatz ,

Unfortunately as far as I know Panorama does not have any mechanism to get local policy rules and update the device group. But there is "hacky" way to do it.

In my humble opinion - if the rules are not many, just do it in the dummy manual way:

- Connect to FW with CLI

- Set configuration view to set mode -> set cli config-output-format set

> set cli config-output-format set

- Enter config mode and show security policy. Note this way show command will show only the local configured rules

> configure # show rulebase security rules

- Copy everything from here to text file

- Panorama cannot push rules with rulename already exist. So you need to add some prefix/suffix to the rulenames in the text file

- Connect to Panorama with CLI, climb the config three to the device group you want to update and paste the rules from the text file

> configure # edit device-group XXXX pre-rulebase security //(optional, but recommended) # run set cli scripting-mode on <paste rules from text file> # run set cli scripting-mode off

- Move the rules at desired location in GUI (you can do it over CLI, but I for me this action is easier in the GUI). Note that we created the rules in the pre-rules sections, the purpose is for the new rules to shadow the local rules so the traffic can start matching those instead of the local.

- Once you confirm all traffic is matching the Panorama pushed rules, delete the local configured one

- (Optional) remove the prefix/suffix that you add to the rulenames as it is no longer required (local rules are gone)

You need to do this for any address, service, group and any other object that is created locally and used by this rules.

I prefer this method, because I am sure no import will mess my Panorama config, or it will affect the rest of the rules. The problem is that it doesn't scale well if you have too many object, services, security profiles and rules to import.

Here comes the "hacky" way - https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g0000008UIP&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

In summary:
- You convert all firewall to local. This will merge panorama pushed config with the local and import it to the local config file

- You remove firewall from existing device-group and template (guide tells you to remove FW completely, but I don't think is necessary, just de-associate it with any device-group and template in order to import device config)

- Import device config to Panorama. This will create new templates and device-group and associate the FW with them

- Export device config to the firewall, which will "convert" the whole config from local to Panorama pushed"

- Push config to firewall to have green light for config sync.

- Once you happy with the result, you can delete the old device-group and templates and rename those that are associated with the FW,

Re: Move/clone/copy from FW Local Policies to existing Device Groups

TomYoung — Mon, 30 Jan 2023 03:07:39 GMT

Hi @Metgatz ,

I bet "load config partial" will do the trick. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/load-a-partial-configuration

Export the config from the NGFW. Import to Panorama, but do not load. Run "load config partial" from the CLI of Panorama:

Mode merge
From NGFW file
From security policy Xpath (from NGFW API browser)
To running-config
To device group security policy pre-rules Xpath (from Panorama API browser).

I've done load config partial a few times, but I can't remember if I moved from local to device group.

You could also use Expedition if (1) it was already (2) or you wanted to - set it up.

Thanks,

Tom

Re: Move/clone/copy from FW Local Policies to existing Device Groups

Metgatz — Tue, 31 Jan 2023 02:45:24 GMT

Hello @TomYoung @aleksandar.astardzhiev

Thanks to both of you for the tips, I will check them out and try, they are good approaches.

Now have any of you in PANORAMA done an import of a backup and then a.:

Load Named Configuration - Select Device Groups & Template ?

Has anyone had the experience of loading, from the GUI, selecting only one particular Device Groups example, so as not to alter anything else in Panorama at all?

Thanks, I remain attentive

Best regards