Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet
Some times we need to reduce the amount of Objects to be migrated or just for optimization and there is one technique that can help us to reduce objects
Its common when we have used Expedition to migrate a configuration from CISCO or FORTINET to have address objects named as H-X.X.X.X or N-X.X.X.X-XX or even if the name was just an IP Address, but they were created as Address Object and count as Object. There is one function inside Expedition to convert them as IP Address that will be only Used on Rules as IP Address or IP Ranges hard-coded as Source or Destination on Rules. So they will not be used as Address Objects anymore.
This has pros and cons but if our Goal is reduce the amount of Address Objects this can help us.
Search from OBJECTS -> ADDRESS with right-click in one Address select the Predefined Filter called "Name is IP address". This will search the Address where the name is an IP Address.
We can add more filters to this process, Select the Filters Options and add all the Address where the name starts with H- for example, and the objects that starts with N- and the objects that starts with RANGE-, put the focus only on Address.
After Run SQL select the Address you want to transform to an IP Address and right-click with your mouse over one of the selected Address and select the option "Transform" -> "Object To IpAddress" and automatically all those objects will be renamed with the IP or Range Address (netmasks will be added as well in case are not /32) and will be marked internally as "dummy" objects, those objects will not be considered at the time to generate the XML or API Calls.
You can check before to transform them as IP Address if they are part of any group by going to TOOLS and SEARCH & REPLACE.
Symptoms Im trying to login to Expedition but the browser says ' Incorrect user or password' but they are correct. What's going on?
Diagnosis Behavior seen in Chrome by now.
Solution The web browser needs to restart the connetion with Expedition. to do it just reload the web page with the IP address of your Expedition VM and then you will be prompted to allow the certificate again, the session will be then re-established and everything will work again.