Tag Based Rule Groups support for expedition?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tag Based Rule Groups support for expedition?

L2 Linker

As 9.0 now supports Tag Based Rule Groups instead of the Tag Browser, it would be very nice to have this available in Expedition as well.

 

Currently the group will be removed if you make changes to the security rules in Expedition and make the API call.

7 REPLIES 7

L5 Sessionator

We will open a Jira ticket to add this new feature in the parser for Panos so this information is not lost while passing by Expedition.

Awesome thanks

Do you have a timeframe for when this new feature will be available?

I think that tags are currently supported through the import process, so they are not lost during the Expedition management.

 

Functionalities related to use of group tags, such as visualization, are not implemented, and we do not have them in a high priority.

I have just migrated a Cisco config to Panorama - where I had existing rules with "Group Rules By Tag" configured on the rules. After doing a API send Call, I get the new rules added - but the "Group Rules By Tag" were cleared from the existing rules.

Thanks for reporting this.

 

Were you running 1.1.40?

If so, would it be possible to share the configuration with us to make some debugging at our side?

 

Please, contact us at fwmigrate at paloaltonetworks dot com if you could share the config.

 

Best,

It should be fairly easy to recreate the behavior:

  1. Set a group tag on any existing rule in Panorama
  2. load the Panorama config into expedition
  3. edit a rule (with or without group tag - makes no difference)
  4. generate+execute the API calls

 

All rules will now have their group tags removed.

When viewing the generated API calls, it is obvious that the [group-tag] key is not set and therefore it will be "deleted" when editing the ruleset.

 

So I guess it is necessary that the group-tag is imported from the Panorama config so it can be set when generating the API calls?

  • 5680 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!