Panorama Project - Security Policies not showing for "all" or specific device-groups

Reply
L1 Bithead

Panorama Project - Security Policies not showing for "all" or specific device-groups

After importing Panorama into a Project the Dashboard show's the full number of security rules but when you go into the policies, select the Panorama xml config and try to vew "all" or for specific device-groups it displays "no data".   Running v1.1.26, Although I was having this issue on v1.1.22 but left it alone while the web gui reload loop was being fixed.

L2 Linker

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

I have the same issue, it worked until I upgraded to the latest version. The odd thing is when I choose the device group, nat rules and everything else shows up, but not security policies. 

 

Weird, I am sure there will be an update to fix whatever was broken. 

L4 Transporter

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

this is due to a change in default behavior - introduced in 1.1.24 - choosing 'All' displays all policies from all DG's for example.

L2 Linker

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

In prior versions if I had a Panorama connected dg I could see it in security policies. I can see nat and all of the other elements, but not policies. Occasionally when loading I will see a brief flash of the policies and then a blank screen. No weird errors in the logs. 

 

I use Expedition for fifty or sixty ha pairs and selectively choose log export since most of our firewalls generate 15-50gb of logs per day. I don't see any form of resource constraint since our primary VM is in a server farm. 


I loaded it on a vm at my house on a 1.1.24 and it works as expected. I can see the policies, so did I miss something in the release notes?

 

Anyhow, thanks for the help! 

L1 Bithead

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

We are not seeing any policies at all, either selecting all or specific device group.

L4 Transporter

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

can you create a new project, import the panorama config again and let me know if you are ablew to see the policies in the new project?

 

i'm trying to narrow the issue to a global issue with your Expedition or something that may be specific to the project.

L2 Linker

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

I have removed all devices and projects about fifteen times on the current release and the policies don't show up. If I manually enter a non-Panorama firewall it works. I have tried with about twenty different Panorama managed dg's, none of them show up. I have expanded the dg's and imported them and the Panorama dg's do not show polices, but nat, pbf, and all other objects show up. 

 

 

 

 

Highlighted
L1 Bithead

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

Also have done the same process as @kenvizena countless times with similar results, although even if an individual Firewall is imported the policy still doesn't show for a specifc vsys.  As a test iimported the Panorama xml into a test Expedition VM running v1.1.23 and the policies were displaying as expected.  For various reasons I can't transfer the ~80GB of traffic logs to this test VM in order to run ML and produce a Greenfield Policy.  Hopefully we can get this working again in current versions...    

 
L4 Transporter

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

@kenvizena can you export project file and email to fwmigrate @ paloaltonetworks.com for debugging.

L2 Linker

Re: Panorama Project - Security Policies not showing for "all" or specific device-groups

Yep, I will do it in the morning. 

 

Thanks for the help!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!