Reply
L1 Bithead
Posts: 13
Registered: ‎08-09-2017

Palo Alto to Palo Alto expedition not generating XML - HELP

[ Edited ]

Hello there,

 

I imported the configuration of a PA-5050 to Expedition to make some changes till a new PA-3260 arrived to the office. I did the changes, and imported a new base config of the PA-3260. I migrated all network and device objects (policies, IPSec VPN, etc.) to the base config (PA-3260) and merged it "successfully". However,  when hitting the button "Generate XML & SET Output" it justs hangs in Generating Profiles vsys/dg:shared. See screenshot below:

expedition problem.pngDoes not generate XML profile

Please advise as how to fix this, I need to migrate this on Wednesday! (only 1 day left). I have done a cisco ASA to Palo Alto migration without any problems... not sure why Palo Alto to Palo Alto will give me problems. 

 

Expedtion VM:  version 1.0.92

Best Practice version: 3.0.6

 

@alestevez Please advise.

You can contact me directly via email: erivera@cortelcopr.com

 

Regards,

Edwardo S. Rivera

L3 Networker
Posts: 52
Registered: ‎05-21-2018

Re: Palo Alto to Palo Alto expedition not generating XML - HELP

Try opening another browser and make sure the services are still running.

L1 Bithead
Posts: 13
Registered: ‎08-09-2017

Re: Palo Alto to Palo Alto expedition not generating XML - HELP

@bagherib Thanks for the reply.

 

What you mean by services? If you mean the status, is still on:

dashboards.png

 

 

Please help.. Also, the response pages does not want to export to the base config:

response pages not migrting.png

It does not let me to migrate the response pages and I need to.. they are being in use.

 

L3 Networker
Posts: 52
Registered: ‎05-21-2018

Re: Palo Alto to Palo Alto expedition not generating XML - HELP

Correct, if "Status" was red, that means the Expedition services are not running, that happened once and it hung in the same spot as yours.  I re-started it and it worked the 2nd time.

L1 Bithead
Posts: 13
Registered: ‎08-09-2017

Re: Palo Alto to Palo Alto expedition not generating XML - HELP

Thanks, but I checked it and it looks fine.

 

@alestevez:

I upgrade to the latest version and now instead of just hanging, it logs me out of the platform GUI!

I also noticed, is the PA-3260  model supported by the Expedition VM? I dont see listed it, no rthe PAN-OS 8.1 version which the PA-3260 comes from by default from Palo Alto.PA 3260 not in expedition.PNG 

Please advise as I dont have any more type of troubleshooting at my disposal right now... 

L7 Applicator
Posts: 908
Registered: ‎03-22-2011

Re: Palo Alto to Palo Alto expedition not generating XML - HELP

something is breaking the generation of the xml so we need to see the output from the command

 

sudo tail -100 /tmp/error
Highlighted
L1 Bithead
Posts: 13
Registered: ‎08-09-2017

Re: Palo Alto to Palo Alto expedition not generating XML - HELP

Here is the log:

 

expedition@Expedition:~$ sudo tail -100 /tmp/error
[sudo] password for expedition:
                [6]=>
                string(3) "exe"
                [7]=>
                string(5) "flash"
                [8]=>
                string(3) "hlp"
                [9]=>
                string(3) "hta"
                [10]=>
                string(3) "msi"
                [11]=>
                string(20) "Multi-Level-Encoding"
                [12]=>
                string(3) "ocx"
                [13]=>
                string(3) "pif"
                [14]=>
                string(3) "rar"
                [15]=>
                string(3) "scr"
                [16]=>
                string(3) "tar"
                [17]=>
                string(7) "torrent"
                [18]=>
                string(3) "vbe"
                [19]=>
                string(3) "wsf"
              }
            }
            ["direction"]=>
            string(4) "both"
            ["action"]=>
            string(5) "block"
          }
          [1]=>
          object(SimpleXMLElement)#108 (5) {
            ["@attributes"]=>
            array(1) {
              ["name"]=>
              string(31) "Continue prompt encrypted files"
            }
            ["application"]=>
            object(SimpleXMLElement)#74 (1) {
              ["member"]=>
              string(3) "any"
            }
            ["file-type"]=>
            object(SimpleXMLElement)#107 (1) {
              ["member"]=>
              array(2) {
                [0]=>
                string(13) "encrypted-rar"
                [1]=>
                string(13) "encrypted-zip"
              }
            }
            ["direction"]=>
            string(4) "both"
            ["action"]=>
            string(8) "continue"
          }
          [2]=>
          object(SimpleXMLElement)#100 (5) {
            ["@attributes"]=>
            array(1) {
              ["name"]=>
              string(24) "Log all other file types"
            }
            ["application"]=>
            object(SimpleXMLElement)#107 (1) {
              ["member"]=>
              string(3) "any"
            }
            ["file-type"]=>
            object(SimpleXMLElement)#74 (1) {
              ["member"]=>
              string(3) "any"
            }
            ["direction"]=>
            string(4) "both"
            ["action"]=>
            string(5) "alert"
          }
        }
      }
      ["description"]=>
      string(94) "strict - change as needed. zip and rar allowed with continue. allow PE and .cab for ms-updates"
    }
  }
}
bool(false)

Fatal error: Uncaught Exception: Wrong type of input parameters, expected SimpleXMLElement key:value: in /var/www/html/libs/xmlapi.php:1746
Stack trace:
#0 /var/www/html/libs/common/xml/panosxml.php(1458): SimpleXMLElement_append(Object(SimpleXMLElement), false)
#1 /var/www/html/bin/configurations/output/output_function.php(274): xml_profiles(Object(SimpleXMLElement), Array, Array)
#2 /var/www/html/bin/configurations/output/output_function.php(25): generate_xml(Array, '4')
#3 {main}
  thrown in /var/www/html/libs/xmlapi.php on line 1746

I am able to generate a snapshot with only best practice remediation, but not with the remap of interfaces nor the security profiles. I will try just doinf the remap since based on the error looks like something is wrong with the profiles.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!