topic Re: backup local config to panorama? in General Topics

backup local config to panorama?

denisgaron — Tue, 07 Aug 2012 18:52:49 GMT

Hi,

We already have an PA appliance installed.

We buy panorama 1 month later. Mainly because we want to keep logs long time like 2 years of logs.

So we just want to manage Rules set of the PA with panorma, and get all the logs.

First step i try to do is doing an export/import of the PA to panorama.

There is clear exemple to do that?

For now i only find documentation talking general information of the process, but dont show detail information on how to import/export objects and rules set, from a PA to Panorama.

Maybe there is a Migration Tool that can make this for me?

Its mainly just one rules set that i want to import/export to panorama. Or maybe i will have to redo all those rules manualy in the panorama?

Re: backup local config to panorama?

zarina — Tue, 07 Aug 2012 23:53:27 GMT

Denis,

This document has the required scripts that can help you migrate your config from a standalone PAN to Panorama.

https://live.paloaltonetworks.com/docs/DOC-1911

Thanks,

Sri Darapuneni

Re: backup local config to panorama?

denisgaron — Thu, 09 Aug 2012 13:57:38 GMT

hi Sri,

I new to palo alto. But i know Linux and/or Unix well, and i know firewall like ASA and checkpoint.

So here my question about installing and make work those scripts. I have read the doc, i need some more information, specialy, where I install those Perl package and script.

I have to install : dev2rama-20110815.tar.gz (3.3 K) and PAN-perl-20110828.tar.gz (35.6 K)

I install this directly on the PA-2050 appliance? Or i have to use a linux box?

Re: backup local config to panorama?

denisgaron — Thu, 09 Aug 2012 16:01:34 GMT

Hi, An on other question;

I have install dev2rama on a Linux box. (i still need answer on my precedent message)

I need to understand how to create the api_key.

I need to give that information in the command :

./show.sh ../templates/dev2rama/ 10.X.Y.Z api_key

I have seek on knowledge base, and also in palo alto unit GUI. For now i didnt find how to generate the api_key.

thankS!

Re: backup local config to panorama?

denisgaron — Thu, 09 Aug 2012 17:39:39 GMT

ok i think i have find how to generate the api_KEY:

http://blog.rootshell.be/2012/03/28/are-you-making-the-most-of-your-security-tools/

I have run this on my Linux CentOS box (not over panoramo or PA-2050):

So i suppose i have to install Perl pack and dev tools on panorama?

When i have run this, i get 403 access denied errors messages:

[root@XYZ bin]# ./show.sh ../templates/dev2rama/ 10.X.Y.Z The_api_key_generated

../templates/dev2rama//show/01_address.xpath

Executing: panxapi -rsx "devices/entry/vsys/entry[@name='vsys1']/address"

show: User not authorized to perform this operation. status="error" code="403"

../templates/dev2rama//show/02_address-group.xpath

Executing: panxapi -rsx "devices/entry/vsys/entry[@name='vsys1']/address-group"

show: User not authorized to perform this operation. status="error" code="403"

../templates/dev2rama//show/03_service.xpath

Executing: panxapi -rsx "devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service"

show: User not authorized to perform this operation. status="error" code="403"

Re: backup local config to panorama?

ksteves1 — Thu, 09 Aug 2012 18:01:48 GMT

On 4.1 you may need to run panxapi -k multiple times to get a key which is not url encoded. The history behind this is the XML API documentation does not state the key is returned encoded if encoding is needed and panxapi relies on LWP to do the encoding which will encode % for POST, which can result in double encoding if previously encoded.

so run panxapi until the key does not contain percent:

$ panxapi -h 172.29.9.121 -kl admin:admin

keygen: success

API key: "PjA4A1Q2RZrxNcHCnh6PDOHc53F4elJ/%2Bjhg16a8GO0="

this key won't work.

$ panxapi -h 172.29.9.121 -kl admin:admin

keygen: success

API key: "Q8acmLknUVOFt5dXq2LjTfZ8GoyTOZ1UoFPsa7nMIzY="

this key will work.

also, the latest version of PAN-perl is PAN-perl-20120107.

Re: backup local config to panorama?

denisgaron — Thu, 09 Aug 2012 18:50:30 GMT

thanks Kevin for help. Yeah indead i have install the latest PAN-perl :

but I finaly done more reading on PAN API DOC:

The problem was in password of the admin account i use. I was using a special char in the passwed.

you can read in the api doc : "Any special characters in the password must be URL/percent-encoded."

So i create a new admin, with no_special_char in it. Then Re-use the URL to regen the Api_KEY

Bingo dev2rama work well now.

I just have to try the rest: getting those rules in Panorama.

==> Just a side note on those that using CentOS Linux BOX :

When installing PAN perl pack v.20120107.

- you need perl (yum install perl)

then lib :

# yum install perl-Net-SSLeay

# yum install perl-Crypt-SSLeay

(those differ from unbuntu)

and

#yum install perl-lib*

You can do cpan stuff like its show in the PAN-perl-Pack doc

Hope this help.

But i wish Palo Alto add a tools in PANORAMA to retrieve rules in a PA appliance, without having to install dev2rama.