We use that term when you import a configuration from a firewall who has some objects added by a panorama. When we read the config from the firewall could refer to an object and that object is not defined on that configuration because was injected by panorama, in Expedition those objects seen in the config but not defined are called "Ghosts"
I've seen ghost addresses from config imported from ASA. I guess in this case it's objects that weren't defined as objects on ASA and were just used as network addresses?
A ghost object is that object in Expedition that does not get converted into an object in the final PANOS configuration.
Based on this, we can find two type pf ghost objects:
- The configuration is from a FW that will use objects inherited from a Panorama. Even the config can use those objects, those are not defined in the FW, therefore we call them ghosts.
- The configuration is using some explicit IPs in security rules, Nats, etc, that will not consume an object in the final PANOS Configuration, but you can still see them in the "address" table in Expedition. Those objects will be explicitly defined in the security rule and do not refer to PANOS address objects. This applies as well to services.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!