topic Import existing config into Panorama woes in General Topics

Import existing config into Panorama woes

drewdown — Tue, 24 Sep 2019 14:25:55 GMT

We have a handful of standalone PAs that we want to import into Panorama. However in our first interation it failed with the following errors and I am not sure why. The entire process isn't made clear to me either via PA (like a lot of their stuff but I digress) so I was wondering if anyone has done this and can help point me in the right direction?

Commit/validation fails on the following items on the firewall after import/export back to it from the Panorama:

Validation Error: log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email 'Test Alerts' is not a valid reference log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email is invalid log-settings -> profiles -> Forward to Panorama and Email -> match-list is invalid log-settings -> profiles is invalid log-settings is invalid shared is invalid rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not an allowed keyword rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not a valid reference rulebase -> security -> rules -> outbound-block-all -> from is invalid rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not an allowed keyword rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not a valid reference rulebase -> security -> rules -> outbound-block-all -> to is invalid rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not an allowed keyword rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not a valid reference rulebase -> security -> rules -> untrust-block-all -> from is invalid rulebase -> security -> rules is invalid rulebase -> security is invalid rulebase is invalid vsys is invalid devices is invalid In VSYS vsys1 from zone trust of type unknown and to zone untrust of type unknown are incompatible in security rule outbound-block-all Configuration is invalid

2 errors when trying to do this, both of which appear to be originating from the PAN > FW.

The first one is a log setting on the 'outbound-block-all' rule on the PAN. That specific log settings doesn't exist on the FW.
Again same rule that is already on the PAN in 'Post Rules,' its shared between all of our existing DGs on the PAN. The only difference between the zones on the FW and the PAN is the first letter is capitalized which I assume is why it chokes?

I changed the zone names to match on the FW but not sure what to do about the log/email settings? Also not sure why its complaining about 'shared' as well.

Re: Import existing config into Panorama woes

MichaelShelton — Tue, 24 Sep 2019 17:25:37 GMT

Drewdown,

not sure if you fixed this already...

2 errors when trying to do this, both of which appear to be originating from the PAN > FW.

The first one is a log setting on the 'outbound-block-all' rule on the PAN. That specific log settings doesn't exist on the FW.

I think you may have to turn off log forwarding on the panorama

Before importing the security policies, you need to disable logging to Panorama. On the firewall, either modify your log forwarding profile to remove Panorama, or edit each security policy and set the log forwarding profile to none:

Again same rule that is already on the PAN in 'Post Rules,' its shared between all of our existing DGs on the PAN. The only difference between the zones on the FW and the PAN is the first letter is capitalized which I assume is why it chokes?

The name zone name makes a difference and should be the same.

Re: Import existing config into Panorama woes

drewdown — Tue, 24 Sep 2019 17:50:13 GMT

@MichaelShelton

I changed the zone names on the FW to all lowercase and committed it but when I did that the tunnel between that FW and our on-prem FW went down. I had to bounce the tunnel to get it passing traffic again....odd but whatever.

As far as the logging goes I am not logging anything to Panorama on the FW. Those 'Test-Alerts' are configured on the Panorama and pushed to my other managed PANs. On the FW I am trying to import logging is only set to 'Log at Session End' and Forwarding set to 'none' on every policy.

Are you are saying to disable the log settings on the 2 shared POST security policies on the PANORAMA? This stuff is so cryptic, sometimes I love PAN and other times I want to beat it like a red headed stepchild.