Total Objects and Device Groups

Reply
L1 Bithead

Total Objects and Device Groups

Hello! I want to start this off for apologizing if i do anything wrong here or miss any processes as this is my first post.

 

I had the question for the community to see if anyone has ever ran into something like this, or what my best course of action would be.

 

We started migrating our environment off of the PA-500's to PA-220's (in the effort to keep cost down in very small sites that we have), but one thing that we didn't expect to run into is hitting the object limit of only 2500 objects.

 

So the steps we have taken so far are to create two device groups, one for the larger devices in our environment and one for the smaller...but now we have the task of converting the objects that aren't in use on the smaller devices to the larger device group, and also out of our shared group.

 

Does anyone know of a quicker or more efficient way to handle this instead of having to manually go through each object, do a global find, and create a new object and rule while deleting the old one.

 

Any help in the right direction would be greatly apprecaited.

 

Thank you!

-Matt

L1 Bithead

Re: Total Objects and Device Groups

Export the objects via CLI to text, you can use that to create a script to create or remove them on whichever host you like.

L7 Applicator

Re: Total Objects and Device Groups

Hi @mjanik01 

 

In panorama there is an option called "Share unused address and service objects with devices". If you disable this option panorama pushes only the required objects to the firewalls.

--> https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/manage-device-groups/...

(This requires that you also manage the policies in panorama and not only the objects because only this way panorama is able to know whitch objects need to be pushed)

L0 Member

Re: Total Objects and Device Groups

@vsys_remo,

 

Does disabling this option remove the unused objects from the devices?

Highlighted
L1 Bithead

Re: Total Objects and Device Groups

Hello,

 

Part of the problem is we still have local policies on our firewalls (we are currently in the process of trying to clean that up, migrating everything into panorama but there ARE still objects used in local policies.

L7 Applicator

Re: Total Objects and Device Groups

@cenectro,

Disabling that option removes the unused objects from the firewall and will stop sharing the objects that aren't used in policies with the device. 

L7 Applicator

Re: Total Objects and Device Groups

@mjanik01,

For the local objects, the firewall won't allow you to remove an address object if you attempt to delete it if it's still being used in policy. So you could actually attempt to mass delete any object that is on the firewall and as long as it doesn't throw an error it shouldn't be utilized in policy at all.

The only time I've seen this cause any issues is if you have a dested address-group as a member of an address-group. The firewall at that point isn't smart enough to realize that it's an in-use address object. 

 

L1 Bithead

Re: Total Objects and Device Groups

That works only if we're deleting from the local firewalls, but we're trying to delete panorama objects and its impossible to tell if they're used locally on the firewalls, unless we go through each of the objects manually on the local devices (which we're trying to avoid).

 

That was the original thing we attempted, but we were running into SO many objects still used on the local devices, that it just wasn't feasable anymore.

L7 Applicator

Re: Total Objects and Device Groups

@mjanik01,

Got it. I assumed that the local objects would only be used in local policy on the firewalls themselves. If you've mixed Panorama objects with local policies things get much more complicated.

 

A faster way of doing this would be to dump the XML configuration files and dumping the Panorama objects. This would give you a list of searchable objects at least, instead of having to be logged into every single device. 

L7 Applicator

Re: Total Objects and Device Groups

@cenectro 

Script it!

 

Foreach $object in $panoramaobjects {

     Foreach $firewall in $firewalls {

          If ($object is in use) {

               Write-to-log ($object is used on $firewall)

          }

     }

}

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!