topic Re: Populating Panorama from an existing firewall. in General Topics

Populating Panorama from an existing firewall.

bgranholm — Wed, 06 Mar 2013 13:25:14 GMT

We have a lab PA2050 that I have tweaked to exactly where I want it to be. We are now trying to add it to a lab Panorama and I would like to populate Panorama with all of the policies and objects from the lab 2050. I exported the running config to an xml and imported it to the Panorama instance and just changed the server information (IP, gateway, DNS servers, etc...) It kept spitting up errors about administration.

Without modding the xml by hand, is there an easy way to import the policies and objects from the 2050 in Panorama?

Re: Populating Panorama from an existing firewall.

torm — Wed, 06 Mar 2013 15:58:36 GMT

It's not possible to directly import the device config to Panorama.

You have to do some manual tasks.Here is a document that describes the process

It's also possible to use the migration tool to migrate policies and objects into Panorama.

Re: Populating Panorama from an existing firewall.

ksteves1 — Sat, 09 Mar 2013 21:45:46 GMT

There is a program called 'panto.py' in the PAN-ksteves package

(https://live.paloaltonetworks.com/docs/DOC-3533) that can

assist with Panorama migration. It uses a panxapi program

from either PAN-perl (https://live.paloaltonetworks.com/docs/DOC-1910)

or PAN-python (https://live.paloaltonetworks.com/docs/DOC-4762)

to do the migration tasks using the XML API.

If for example you wanted to migrate address object, groups, security

and nat rulebase your input file to panto.py could be something like:

set panxapi-program panxapi.py

set panxapi-from-tag pa-2020

set panxapi-to-tag panorama

setvar CONFIG_VSYS '/config/devices/entry/vsys/entry'

setvar DEVICE_GROUP 'finance-dg'

migrate from-xpath $CONFIG_VSYS/address to-xpath-device-group $DEVICE_GROUP

migrate from-xpath $CONFIG_VSYS/address-group to-xpath-device-group $DEVICE_GROUP

migrate from-xpath $CONFIG_VSYS/rulebase/security to-xpath-device-group $DEVICE_GROUP pre-rulebase

migrate from-xpath $CONFIG_VSYS/rulebase/nat to-xpath-device-group $DEVICE_GROUP post-rulebase

and the panto.py program would create the panxapi commands to show and

delete the configuration on PAN-OS, and set the configuration on

Panorama.

Re: Populating Panorama from an existing firewall.

ksuuk — Mon, 18 Mar 2013 09:29:08 GMT

This all is very confusing. Device to Panorama official manual is outdated, some scripts have done, but lack of documentation, so I still can't figure out how to migrate existing device config to Panorama? Seems with official set &copy/paste method I can't migrate the whole config. Second option is manually copy/paste config parts from device XML to Panorama XML.

Both methods seems crazy in year 2013, when others vendors do it automatically.

So Your script sounds good. Can I migrate the whole config? But please explain more, how to export data from device and import it into Panorama. Where to add device IP, Panorama IP etc.

Re: Populating Panorama from an existing firewall.

mikand — Mon, 18 Mar 2013 09:42:16 GMT

I think your best option is to contact your SE and make sure that a feature request is filed towards the HQ that the Panorama in 2013 should be able to simply just import any PA device (so the admin doesnt have to either redo all work or run all sort of scripts and read outdated docs).

Re: Populating Panorama from an existing firewall.

ksuuk — Mon, 18 Mar 2013 09:53:40 GMT

According to the such feature request is done already a year ago.

It's actually very strange, that vendor, whose only product is firewall, is so behind with common features, that every other firewall vendor have. PaloAlto must do serious jump, as right now I feel that simple the term "next generation" doesn't ring the bell anymore.

Also others vendors have made progress. I almost regret moving from CheckPoint to PaloAlto as I miss so much common features...

Re: Populating Panorama from an existing firewall.

Jamiefitzgerald — Mon, 18 Mar 2013 18:34:45 GMT

I am really sorry to hear that ksuuk. We are constantly evaluating feature requests and although, this is an important feature, there is a work around with the script. Hopefully once you do the import, you will find that the UI is intuitive and easy to use. With that said, your feedback is important, and contacting your SE to re-enforce the request is the best way for product management to prioritize features for future release. Thank you and please know we are listening. Thank you,

~Jamie

Re: Populating Panorama from an existing firewall.

netslh — Thu, 18 Apr 2013 19:54:15 GMT

This is a much needed feature.. Why? Because most people buy the firewalls first and as they buy more they see a need for Panorama. Well it is hard to use Panorama to it's fullest features when you can't import the current devices configs to the Panorama Server. It is very hard to manually put all that into Panorama especially with policies and tons of url and address objects.

Re: Populating Panorama from an existing firewall.

ericgearhart — Wed, 18 Dec 2013 16:34:19 GMT

I really, sincerely hope this feature request was implemented in Panorama 6.0.

It's ridiculous that a centralized management solution created by a firewall company isn't able to import device configs. I feel this concept should have been included on a feature requirements document that was incorporated into Panorama 1.0 honestly, not that we're still going to be waiting for it in 2014.