How to Duplicate Device Groups on Panorama

Printer Friendly Page

Overview

 

Device Groups (DG) in Panorama are used to build configurations that are shared among the managed firewalls. Policy and address objects configurations are pushed to the managed firewalls within Device Groups.

 

At times, the Panorama administrator may need to clone a device group for efficiency and make further edits to customize the device group for a new set of managed firewalls. This task can be performed from the CLI using the method described below.

 

Important: This process requires an administrator account with ‘superuser’ privileges to run the command and issue a commit.

 

The command, load configure partial <attributes>, can be used to merge the XML elements from a certain XPath in a Panorama configuration.

 

Notes:

  1. The devices from the original device group will be moved to the new device group. For example, 36-AP-500 is being moved to DG_clone.
  2. The new device group's Parent Device Group will be Shared. If it is necessary for it to have the same parent as the original, then go to Panorama > Device Groups > DG_clone and change the Parent Device Group to the correct DG

 

Details

First, the configuration must be imported into Panorama. The configuration can be imported from the web-interface or the CLI. The example below will use the predefined ‘running-config.xml’ file which stores the current running configuration on the Panorama server. Whenever a successful commit is completed in Panorama, the configuration is saved to the ‘running-config.xml’ file.

 

Following is the snapshot of the Device Group, DG_1, as seen from the web-interface:

 

The Device Group, DG_1, already exists in the Panorama running-config.xml file. This is the Device Group that will be cloned/duplicated, and the new DG will be named, DG_clone. Run the following command to create DG_clone as a clone of DG_1:

 

# load config partial from running-config.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG_1'] to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG_clone'] mode merge

 

Config loaded from running-config.xml

 

[edit]

#

 

The above command uses 'running-config.xml' as the source configuration and DG_clone for the name of the newly created clone configuration. Enter the appropriate configuration file if different from 'running-config.xml'. The mode used in the command must be specified as ‘merge’ (as seen in the above example).

 

A new DG with the name, DG_clone, is created after the command above is performed. The following screenshot shows DG_clone in the list of Device Groups:

 

owner: kadak

Comments

This was a very good Article and did the job well when migrating from PA-3020 to PA-5020. 

 

Had to clone the device group on Panorama and push the policy to new firewall. Good and helpful article.

This does not work on Panorama 8.0. You get an "Invalid Syntax" error.

This command is helpful and I can create a cloned device group, it simply worked on 8.0.9 but interestingly it allowed a successful commit for me with same target in cloned device group NAT policies. I have to manually remove target from NAT policies.