Tag Based Rule Groups support for expedition?

Reply
L1 Bithead

Tag Based Rule Groups support for expedition?

As 9.0 now supports Tag Based Rule Groups instead of the Tag Browser, it would be very nice to have this available in Expedition as well.

 

Currently the group will be removed if you make changes to the security rules in Expedition and make the API call.

Highlighted
L4 Transporter

Re: Tag Based Rule Groups support for expedition?

We will open a Jira ticket to add this new feature in the parser for Panos so this information is not lost while passing by Expedition.

L1 Bithead

Re: Tag Based Rule Groups support for expedition?

Awesome thanks

L1 Bithead

Re: Tag Based Rule Groups support for expedition?

Do you have a timeframe for when this new feature will be available?

L4 Transporter

Re: Tag Based Rule Groups support for expedition?

I think that tags are currently supported through the import process, so they are not lost during the Expedition management.

 

Functionalities related to use of group tags, such as visualization, are not implemented, and we do not have them in a high priority.

L1 Bithead

Re: Tag Based Rule Groups support for expedition?

I have just migrated a Cisco config to Panorama - where I had existing rules with "Group Rules By Tag" configured on the rules. After doing a API send Call, I get the new rules added - but the "Group Rules By Tag" were cleared from the existing rules.

L4 Transporter

Re: Tag Based Rule Groups support for expedition?

Thanks for reporting this.

 

Were you running 1.1.40?

If so, would it be possible to share the configuration with us to make some debugging at our side?

 

Please, contact us at fwmigrate at paloaltonetworks dot com if you could share the config.

 

Best,

L1 Bithead

Re: Tag Based Rule Groups support for expedition?

It should be fairly easy to recreate the behavior:

  1. Set a group tag on any existing rule in Panorama
  2. load the Panorama config into expedition
  3. edit a rule (with or without group tag - makes no difference)
  4. generate+execute the API calls

 

All rules will now have their group tags removed.

When viewing the generated API calls, it is obvious that the [group-tag] key is not set and therefore it will be "deleted" when editing the ruleset.

 

So I guess it is necessary that the group-tag is imported from the Panorama config so it can be set when generating the API calls?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!