Populating Panorama from an existing firewall.

Reply
Highlighted
L2 Linker

Populating Panorama from an existing firewall.

We have a lab PA2050 that I have tweaked to exactly where I want it to be. We are now trying to add it to a lab Panorama and I would like to populate Panorama with all of the policies and objects from the lab 2050. I exported the running config to an xml and imported it to the Panorama instance and just changed the server information (IP, gateway, DNS servers, etc...) It kept spitting up errors about administration.

Without modding the xml by hand, is there an easy way to import the policies and objects from the 2050 in Panorama?

L4 Transporter

Re: Populating Panorama from an existing firewall.

It's not possible to directly import the device config to Panorama.

You have to do some manual tasks.Here is a document that describes the process 

It's also possible to use the migration tool to migrate policies and objects into Panorama.

L3 Networker

Re: Populating Panorama from an existing firewall.

There is a program called 'panto.py' in the PAN-ksteves package

(https://live.paloaltonetworks.com/docs/DOC-3533) that can

assist with Panorama migration.  It uses a panxapi program

from either PAN-perl (https://live.paloaltonetworks.com/docs/DOC-1910)

or PAN-python (https://live.paloaltonetworks.com/docs/DOC-4762)

to do the migration tasks using the XML API.

If for example you wanted to migrate address object, groups, security

and nat rulebase your input file to panto.py could be something like:

set panxapi-program panxapi.py

set panxapi-from-tag pa-2020

set panxapi-to-tag panorama

setvar CONFIG_VSYS '/config/devices/entry/vsys/entry'

setvar DEVICE_GROUP 'finance-dg'

migrate from-xpath $CONFIG_VSYS/address to-xpath-device-group $DEVICE_GROUP

migrate from-xpath $CONFIG_VSYS/address-group to-xpath-device-group $DEVICE_GROUP

migrate from-xpath $CONFIG_VSYS/rulebase/security to-xpath-device-group $DEVICE_GROUP pre-rulebase

migrate from-xpath $CONFIG_VSYS/rulebase/nat to-xpath-device-group $DEVICE_GROUP post-rulebase

and the panto.py program would create the panxapi commands to show and

delete the configuration on PAN-OS, and set the configuration on

Panorama.

Not applicable

Re: Populating Panorama from an existing firewall.

This all is very confusing. Device to Panorama official manual is outdated, some scripts have done, but lack of documentation, so I still can't figure out how to migrate existing device config to Panorama? Seems with official set &copy/paste method I can't migrate the whole config. Second option is manually copy/paste config parts from device XML to Panorama XML.

Both methods seems crazy in year 2013, when others vendors do it automatically.

So Your script sounds good. Can I migrate the whole config?  But please explain more, how to export data from device and import it into Panorama. Where to add device IP, Panorama IP etc.

L6 Presenter

Re: Populating Panorama from an existing firewall.

I think your best option is to contact your SE and make sure that a feature request is filed towards the HQ that the Panorama in 2013 should be able to simply just import any PA device (so the admin doesnt have to either redo all work or run all sort of scripts and read outdated docs).

Not applicable

Re: Populating Panorama from an existing firewall.

According to the such feature request is done already a year ago.

It's actually very strange, that vendor, whose only product is firewall, is so behind with common features, that every other firewall vendor have. PaloAlto must do serious jump, as right now I feel that simple the term "next generation" doesn't ring the bell anymore.

Also others vendors have made progress. I almost regret moving from CheckPoint to PaloAlto as I miss so much common features...

Palo Alto Networks Guru

Re: Populating Panorama from an existing firewall.

I am really sorry to hear that ksuuk.  We are constantly evaluating feature requests and although, this is an important feature, there is a work around with the script.   Hopefully once you do the import, you will find that the UI is intuitive and easy to use.  With that said, your feedback is important, and contacting your SE to re-enforce the request is the best way for product management to prioritize features for future release.  Thank you and please know we are listening.  Thank you,

~Jamie

Not applicable

Re: Populating Panorama from an existing firewall.


This is a much needed feature..  Why?  Because most people buy the firewalls first and as they buy more they see a need for Panorama.  Well it is hard to use Panorama to it's fullest features when you can't import the current devices configs to the Panorama Server.   It is very hard to manually put all that into Panorama especially with policies and tons of url and address objects.

L4 Transporter

Re: Populating Panorama from an existing firewall.

I really, sincerely hope this feature request was implemented in Panorama 6.0.

It's ridiculous  that a centralized management solution created by a firewall company isn't able to import device configs. I feel this concept should have been included on a feature requirements document that was incorporated into Panorama 1.0 honestly, not that we're still going to be waiting for it in 2014.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!