BPA on multiple devices and Panorama

Reply
L1 Bithead

BPA on multiple devices and Panorama

I'm having some trouble with Best Practices analysis and hoping someone here can confirm the functionality.

 

I have many devices managed by Panorama.  Their configuration is built through a combination of some local device configuration and policies, plus settings from templates and device groups in Panorama.  I've imported all devices including Panorama into a project, but when I run the Best Practices analysis it seems to only consider the Panorama config.  I don't see the settings or policies from the local device configs in the analysis results.

 

I believe this worked for me in the past, perhaps there is some trick I'm just forgetting.  I've tried toggling through devices in the bottom toolbar but it seems to have no effect when on the Best Practices tab.  Can anyone else confirm if BPA is working for them with a combination of Panorama and local device configurations?

 

Expedition 1.1.2 / BP 3.6.3

L4 Transporter

Re: BPA on multiple devices and Panorama

This is a good question.

 

When checking the BPA, the checks are done on the  base-config selected for the project. Probably you have the Panorama config defined as a base-config.

 

In your case, I understand you would like to check the BPA for the merged configuration, which it is neither the Panorama nor the FWs configs.

In that case, that is a tricky one, because what you could do is to retrieve the merged config from the FW, set it as a base-config, and apply the BPA to see what you should modify in the Panorama config (obviously, you do not want to apply changes into the merged, as it is read-only config that results of merging the Panorama and FW configs).

 

We will internally check with the Customer Success team, who is the one that developed the BPA module that we use in Expedition, in order to see if they have any other approach for this challenge.

L1 Bithead

Re: BPA on multiple devices and Panorama

Unfortunately it seems even the merged configuration retrieved from the FW is not the full picture.  It seems to be missing the security rules that come down from Panorama; only security rules that are defined locally show up in the merged config.  

 

It would be great if we could have a tool capable of running a comprehensive BPA on devices where the config is partly local and partly from Panorama.  For now, I'm thinking it might be possible to run separate BPA's for the merged device config and the Panorama config, and then take the results from both to get a more complete picture.  If there's a better approach, I'm definitely interested in hearing about it.

L4 Transporter

Re: BPA on multiple devices and Panorama

Are you sure?

The merge config should show the result of merging both Panorama rules and Device rules, obviously, if the device is within the DeviceGroup defined in the Panorama.

L1 Bithead

Re: BPA on multiple devices and Panorama

Yes, I'm pretty sure. I used the API to pull the merged config directly from the firewall, and it definitely does not include the security rules from Panorama.  I get the same results from the cli command 'show config merged'.  However, when I log into the device's web console, I can see all the rules that came from Panorama so I'm certain they're getting pushed to the device.  

 

Btw, I can run 'show config pushed-shared-policy' on the firewall and all of the policy objects from Panorama are displayed.  They just do not appear in the merged output.

L4 Transporter

Re: BPA on multiple devices and Panorama

Weird. Which version of PANOS are you running?
We would like to check as well on our device in our lab.

My apologies for the typos, I am writing from my phone.
L1 Bithead

Re: BPA on multiple devices and Panorama

I’ve seen this behavior on devices running 8.0.13, 8.1.3 and 8.1.4.

L0 Member

Re: BPA on multiple devices and Panorama

I am currently running into the same problem on PanOS 9.0.

 

Has this issue been resolved? If so, is there a KB that can be referenced?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!