topic Re: Total Objects and Device Groups in General Topics

Total Objects and Device Groups

mjanik01 — Thu, 04 Apr 2019 16:54:45 GMT

Hello! I want to start this off for apologizing if i do anything wrong here or miss any processes as this is my first post.

I had the question for the community to see if anyone has ever ran into something like this, or what my best course of action would be.

We started migrating our environment off of the PA-500's to PA-220's (in the effort to keep cost down in very small sites that we have), but one thing that we didn't expect to run into is hitting the object limit of only 2500 objects.

So the steps we have taken so far are to create two device groups, one for the larger devices in our environment and one for the smaller...but now we have the task of converting the objects that aren't in use on the smaller devices to the larger device group, and also out of our shared group.

Does anyone know of a quicker or more efficient way to handle this instead of having to manually go through each object, do a global find, and create a new object and rule while deleting the old one.

Any help in the right direction would be greatly apprecaited.

Thank you!

-Matt

Re: Total Objects and Device Groups

BoDollis — Thu, 04 Apr 2019 17:34:38 GMT

Export the objects via CLI to text, you can use that to create a script to create or remove them on whichever host you like.

Re: Total Objects and Device Groups

Remo — Sat, 06 Apr 2019 22:17:50 GMT

Hi @mjanik01

In panorama there is an option called "Share unused address and service objects with devices". If you disable this option panorama pushes only the required objects to the firewalls.

--> https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

(This requires that you also manage the policies in panorama and not only the objects because only this way panorama is able to know whitch objects need to be pushed)

Re: Total Objects and Device Groups

cenectro — Mon, 08 Apr 2019 15:24:26 GMT

@Remo,

Does disabling this option remove the unused objects from the devices?

Re: Total Objects and Device Groups

mjanik01 — Mon, 08 Apr 2019 15:33:28 GMT

Hello,

Part of the problem is we still have local policies on our firewalls (we are currently in the process of trying to clean that up, migrating everything into panorama but there ARE still objects used in local policies.

Re: Total Objects and Device Groups

BPry — Mon, 08 Apr 2019 16:01:09 GMT

@cenectro,

Disabling that option removes the unused objects from the firewall and will stop sharing the objects that aren't used in policies with the device.

Re: Total Objects and Device Groups

BPry — Mon, 08 Apr 2019 16:05:10 GMT

@mjanik01,

For the local objects, the firewall won't allow you to remove an address object if you attempt to delete it if it's still being used in policy. So you could actually attempt to mass delete any object that is on the firewall and as long as it doesn't throw an error it shouldn't be utilized in policy at all.

The only time I've seen this cause any issues is if you have a dested address-group as a member of an address-group. The firewall at that point isn't smart enough to realize that it's an in-use address object.

Re: Total Objects and Device Groups

mjanik01 — Mon, 08 Apr 2019 16:15:50 GMT

That works only if we're deleting from the local firewalls, but we're trying to delete panorama objects and its impossible to tell if they're used locally on the firewalls, unless we go through each of the objects manually on the local devices (which we're trying to avoid).

That was the original thing we attempted, but we were running into SO many objects still used on the local devices, that it just wasn't feasable anymore.

Re: Total Objects and Device Groups

BPry — Mon, 08 Apr 2019 16:24:34 GMT

@mjanik01,

Got it. I assumed that the local objects would only be used in local policy on the firewalls themselves. If you've mixed Panorama objects with local policies things get much more complicated.

A faster way of doing this would be to dump the XML configuration files and dumping the Panorama objects. This would give you a list of searchable objects at least, instead of having to be logged into every single device.

Re: Total Objects and Device Groups

Remo — Mon, 08 Apr 2019 17:19:27 GMT

@cenectro

Script it!

Foreach $object in $panoramaobjects {

Foreach $firewall in $firewalls {

If ($object is in use) {

Write-to-log ($object is used on $firewall)

}

Re: Total Objects and Device Groups

mjanik01 — Thu, 11 Apr 2019 14:08:37 GMT

Hello,

Forgive my ignorance here (as i'm no programmer or anything by any means),

but trying to follow that logic in what you put below, i feel thats the opposite of what we want. we want to know which objects are NOT in use, by both panorama and the local firewalls themselves (which is the part of this thats a giant pain).

Thank you!

Re: Total Objects and Device Groups

Remo — Thu, 11 Apr 2019 17:02:25 GMT

@mjanik01

Yo're right. It should be more like this pseudocode:

Foreach $object in $panoramaobjects {

Foreach $firewall in $firewalls {

If ($object is not in use)

Delete-fw-object($object,$firewall)

Delete-panlrama-object($object,$panorama)

}