Hotfix Release Notes

by alestevez ‎04-09-2015 09:32 AM - edited ‎10-01-2015 10:31 AM (67,171 Views)

 

Version 3.1.5 Please go to https://live.paloaltonetworks.com/t5/Migration-Tool-Discussions/Version-3-1-5-Released-on-October-1s...

 

Version 3.1.1

Release day August 14th 2015 00

 

Fixes:

  1. Remove unused Objects. Was not reading the shared objects. Now it does.
  2. Api Output Manager. When send api calls to Panorama get the error "serial number is not connected". Now it should work.
  3. PHP Warning: mysql_real_escape_string() in the debug window. The error has been fixed.
  4. Edit Nat Rules. Sometimes when you change the nat type from static to dynamic the address is not removed correctly. Reviewed the Nat edition process.

 

Version 3.1

Release day July 31st 2015 00

 

Please get all the information here MigrationTool 3.1 Info and Guide

 

Enjoy !

 

Version 3.0.8

Release day July 27 2015 00

 

Fixes:

  1. Cisco. The parser was handling the names with "case insensitive". Changed to be case sensitive.
  2. Address Filter by : Duplicated by name. Was an error on the SQL query and was not showing the duplicated address in the panel.

 

 

Migration Tool 3.1 Beta

Migration Tool 3.1 Beta Testing has started !

 

Version 3.0.7

Release day July 2 2015 00

 

Fixes:

  1. Sidewinder: Static routes, applications and groups in version 8.X were not correctly imported.
  2. Cisco: Some problems were introduced when a zone name length was larger than 15 chars, some rules were those zones were used show the zone equal empty.
  3. PaloAlto Networks: If the rules were containing users with backslash the proper username was incorrectly stored in the database. This was preventing the tool to generate the final XML.

 

Version 3.0.6

Release day June 29 2015 00

 

Fixes:

  1. Screenos. Bad naming interfaces was causing a wrong zone assignment. Output had empty zones in Nat and Security Rules.

 

Version 3.0.5

Release day June 22 2015 00

 

Fixes:

  1. Checkpoint. Exclusion Groups. issue calculating all the elements inside the exclusion group. Only the first member was added to the group.
  2. Edit Nat Rules. When Source Nat was configured dynamic-ip (or ip-port) and change to static with interface ip address the change was not applied. (reported by kmurphy)
  3. Remove Content-ID Objects. This function was not properly working (reported by fl1654)
  4. Drag and Drop Services Groups into Shared. Was an error in the process and this was preventing to move the services groups into the Base config (reported by terrence.shipclark@humber.ca)
  5. Sidewinder. Services groups were not imported. The function to read the services groups was not correctly applied to the import process. (reported by Mike.Bermudez)
  6. Edit Security Rules. Reviewed the code that manages the changes because some times the sources, destination, tag were lost when click on Save. (reported by kmurphy)

 

Enhancements:

  • Snippets: When import Snippets into a project we will use the name contained in the <entry name="thisName"> instead of the name used to store the snippet in the MT3 (requested by fl1654)

 

Offline Updates:

     Download from here Off-line Updates - Files

 

 

Version 3.0.4

Release day June 16 2015 00

 

Fixes:

  1. Snippets: Custom Reports, Profile Groups (reported by fl1654)
  2. Filtering by Services neq, the service any was not correctly managed. (reported by M.Alzahaby)
  3. Snippets: Duplicated group types (reported by fl1654)
  4. Checkpoint: Empty Zones caused by removed groups wihout members
  5. Multi Edit: Update existing element with a different one. this was adding the new one but keeping the old one (reported by kmurphy)
  6. Output. Generating XML file when the objects are in one Source and the Rules are moved into another Source in order to show the sources, and destinations in the Rules (reported by fl1654)

 

Updates Offline:

     Download from here Off-line Updates - Files

 

Version 3.0.3

Release day June 5 2015 00

 

New Features:

  1. Devices. Retrieve Configuration: When edit a Device in the migration Tool you can retrieve the running configuration using this button

Screen Shot 2015-06-05 at 16.26.08.png

  1. Added Rename Rule Names for Nats. Shown by pressing over a Nat Rule the right-click button with your mouse.
  2. In Panorama. Convert a Rule from a DeviceGroup as Shared. Screen Shot 2015-06-05 at 16.30.58.png
  3. Objects : Address, Services and groups, tags can be Cloned into the same VSYS or into a different one, for example in the Shared or another VSYS. If the object already exists in the destination the name will be changed by "Cl-xxx" if not we will keep the same name.

Screen Shot 2015-06-05 at 16.32.18.pngScreen Shot 2015-06-05 at 16.32.10.png

  1. Tags. Convert to Cloned. Convert the selected tags into Shared replacing the old tag. All the references will be updated to the new shared object. Screen Shot 2015-06-05 at 16.34.07.png

 

Fixes:

  1. When Edit Interfaces the Link Settings where not shown
  2. Added Aggregated interfaces support when generates a XML or API output.
  3. Added Negate (source and destination) when importing a Palo Alto networks device into the tool.
  4. Added some minor fixes in the Output Generation

 

 

 

Version 3.0.2

Release day June 1 2015 00

 

New Feature:

  1. UPDATES OFFLINE. Added a new option under updates (import bundle offline) that will allow you to download a bundle file from our community (live.paloaltonetworks.com/migrate) and then upload the file into the tool to make the upgrade without to be connected to Internet. 

Screen Shot 2015-06-01 at 13.45.13.png

This process will start to work after you upgrade to 3.0.2 June 1st and we start to release new hotfixes from this date. (requested by SandroHerpich and others)

 

Version 3.0.2

Release day May 30 2015 00

 

Fixes:

  1. Added new Snippets: SPYware Profile, Custom Reports, Profile Groups.
  2. Minor fixes in the generation of the XML output file.

 

Version 3.0.2

Release day May 29 2015 00

 

Fixes:

  1. Checkpoint. When loading configs from VSX some nulls were shown.
  2. Auto Zone: Totally Renewed plus Support for negated sources and destinations. (special thanks to cpainchaud)
  3. Nat. Clone Rule now it works ( bug reported by plingeman )
  4. Output. Xml. Fixed issues when generating Panorama configs some pieces were lost with the process.

 

New:

  1. Monitor. Logs. Remove or mark as fixed in the case you have to make some manual fixes in your config.

Screen Shot 2015-05-29 at 19.31.59.png

  2. Added support to import PANOS configs with IP ADDRESS in the source or destinations. before the tool was generating address objects with name H-ipaddress now it loads into the tool. the tool creates as a address objects but at the end this object is not added to the address catalog in your XML file or API call.

  3. Added Support for "dummy" address. When loads a firewall configuration but some of the objects in the rules came from Panorama (they are not in the firewall config) the tool will create them as a "dummy" you will see them to keep in sync with the output when you finish your changes, those objects are identified by the Palo Alto Networks logo.

 

 

 

Version 3.0.1

Release day May 25 2015 00

 

Fixes:

  1. Output in Set commands. Templates were not created as a SET commands. (lib pan-python updated)
  2. Google Chrome version 43 has an issue with the context nested menus in the security rules. They disappear as soon as the mouse is over.

 

Changed Behaviour:

  1. CISCO: Importing Zones larger than 15 characters will be stored in the database with the original length and you will see alerts instead of automatically truncate to 15 chars, this was causing some issues when zones were starting with the 15 first chars equal.

Screen Shot 2015-05-25 at 19.45.36.png

  1. Nat Rule with destination Zone "none" will count as an Invalid Rule in the Dashboard.

Screen Shot 2015-05-25 at 19.45.27.png

 

Version 3.0.1

Release day May 21 2015 00

 

Fixes:

  1. When cloning Security Rules the Security profiles were lost.
  2. Multi Edit: Editing the Log forwarding profiles the change was not taken by all the selected rules

 

Version 3.0.1

Release day May 19th 2015 00

 

New Feature:

  1. Added Support for automatically convert Exclusion Groups from Checkpoint in the right amount of IP address, networks and IP Ranges. A log entry will be created for each Exclusion Group explaning the original networks and the excluded and the final members calculated by the Migration Tool.

 

Fixed:

  1. Services. The Filter "invalid" show a wrong number in the pagination bar. Now shows the right number of elements under this filter.

 

Version 3.0.1

Release day May 18th 2015 00

 

Fixes:

  1. Invalid Address Groups. The groups with more than 500 members were not shown thwn filter invalid was selected.
  2. SRX:
    1. Added Global Security Policies
    2. Some services where not imported correctly like junos-icmp-all due to a malformed SQL query when store the service in the tool.

 

Changed Behaviour:

  1. Interfaces and Zones. If there is a duplicated one you can delete one element and nothing will affect to the rules, virtual routers or virtual systems. The references will remain while one of the elements continue existing.
  2. Added the option to search and replace directly from the Address and Services Tab. Just use right click on your mouse over the object name and click "search and replace" (Improvement requested by @Josh_Zuerner )

Screen Shot 2015-05-19 at 00.42.32.png

  3.  Security and Nat Rule Editor Window. Now whatever the change you make will not be applied until you click on save.

 

Added Snippets:

  1. Added Response Pages. You can import Response Pages into your projects.

 

 

Version 3.0

Release day May 13th 2015 01

 

New Features:

  1. Added the ability to Change the Rule Names.

     Screen Shot 2015-05-13 at 18.11.13.png

    1. Remove (All Rules): This option will remove all the Rule Names for all the Rules under the selected Source and Vsys
    2. Rename to Rule XX: This option will rename all the Rules without any Name to a "Rule XX" (incremental from 1 to X)
    3. Fix Duplicated Names: This option will rename all the duplicated rules by name adding "_XX" at the end of each duplicated rule, only the first rule for each iteration will remain with the same original name. Ex "Rule 4", next rule duplicated with the name "Rule 4" will be renamed to "Rule 4_1"

 

 

Version 3.0

Release day May 13th 2015 00

 

Fixes:

  1. Sidewinder: Rules are now imported. This parser is in beta right now. Please report any issue you find.
  2. Screenos: In some configuration the address will not be loaded. If the config had global address the tool was not importing any address.

 

New Features:

  1. Replace DM_IMLINE objects by the members. This functionality will help when you import a CISCO config into the tool and all the groups are called DM_INLINE_XX. The tool will change the Group by the members inside the security rules (source,destination and service). You can run this process for only the selected rules or for the whole ruleset. To use the function use your right button in your mouse over any security rule.

     Screen Shot 2015-05-13 at 14.44.25.png

 

Version 3.0

Release day May 11th 2015 00

 

Fixes:

  1. CISCO. When the destination address in an access-list was "name" 255.x.x.x the tool was showing "null".
  2. Combine Functionality for Security Rules. When multiple configurations were loaded into the MT3 the combination of rules was removing those rules.

 

Known Issues

When importing Panorama some objects from Templates are missed. Work in progress

Sidewinder. the security Rules are not imported. Work in progress

 

Version 3.0

Release day May 2nd 2015 00

 

Fixes:

  1. API Output Manager: Fixed output for vsys inside templates. Removed the display-name option.
  2. API Output Manager: Fixed on Virtual Routers the position for the protocol->bgp, before was wrong adding the bgp without the protocol first.
  3. API Output Manager: Added templates (this feature is not 100% finished yet only if you import from Panorama)

 

New Feature:

  1. API Output Manager: Added a new combobox to show only modifications added to the Base config. This is useful when import a Palo Alto networks firewall or Panorama into the tool to add the Applications (App-id Adoption). Select the rules you want to migrate to apps, run the process to import the apps and after the reconciliation use this feature to show only the modiications, Use the Subatomic Calls in order to get the order in case you have been cloned some rules. Remember for the new rules we need to send the Order Api calls to reorder all the rules otherwise the API will send the cloned rules at the end of the ruleset.

 

Version 3.0

Release day May 2nd 2015 00

 

Fixes:

  1. Log Connector. Cannot save a new collector. This issue was introduced by the new option to support custom dates for the reports. (Bug reported by oyvind )
  2. Check Used Objects. Added function to prevent infinite loops when calculating used objects in nested groups. (Bug reported by EAndrade  )

 

Version 3.0

Release day April 30th 2015 00

 

Fixes:

  1. Log Connector. Cannot save a new collector. This issue was introduced by the new option to support custom dates for the reports. (Bug reported by oyvind )

 

Version 3.0

Release day April 29th 2015 00

 

Fixes:

  1. When Proxy is configured now its possible to get the updates. Before was an error when the proxy configuration was stored. (Bug reported by CJR)
  2. Paloalto Parser. If the configuration was too small in some situations the process was failing. Added some check controls to avoid this situation  (Bug reported by EAndrade)
  3. Increased Max Ram to 2GB for the Paloalto Parser. With big configurations was exhausting the 1GB that was previously assigned. (Bug reported by EAndrade)

 

Gui enhancements:

  1. Added to Objects (Services and Address) the option to hide the Shared Address from the view.
  2. Log Connector: Added Period "Custom"  (requested by kevin.thys)

     Screen Shot 2015-04-29 at 19.32.48.png

 

Version 3.0

Release day April 27th 2015 00

 

Fixes:

  1. When add/modify Address-Group and a single quote is in the description the object was not updates/created. (Bug reported by kmurphy )
  2. In some configurations at the time to generate the XML file from a Panorama Base Config the subinterfaces were not added to the final XML. (Bug reported by CJR )

 

Gui enhancements:

  1. Filters: Security Rules: Added ability to search by Action (deny, allow). Improvement requested by kmurphy.
  2. Filters: Nat Rules: Added ability to search by translated packet (source, destination, port). Improvement requested by kmurphy.

 

New Features:

  1. Interfaces. Added new option "remap". Select an interface and then we can remap this interface and all the subinterfaces with a Palo Alto Networks valid interface like "ethernet1/1". Selecting only for example a GigabitEthernet1/1 and remap with "ethernet1/1" this will rename this interface and any subinterface like "GigaEthernet1/1.500" to "ethernet1/1.500" automatically.

 

 

Version 3.0

Release day April 26th 2015 00

 

Fixes:

  1. Problem when generate a PDF report from Monitor. The device Usage charts were not correctly added at the end of the PDF file.

 

 

Version 3.0

Release day April 24th 2015 00

 

Fixes:

  1. Response Pages. The Palo Alto Networks tags like <url/> where wrongly stored in the database. So when the tool was generating the response page we were missing those internal tags.
  2. SRX: Added support to read address and address-groups from the Global Space. (Bug reported by bsaucier)

 

Version 3.0

Release day April 22th 2015 01

 

Fixes:

  1. Output: Increased the time-out for the function that converts objects to shared. (Bug discovered by adevegamir)

 

Version 3.0

Release day April 22th 2015 00

 

Fixes:

  1. When merging groups with nested groups those got duplicated after the merge.( Bug reported by cpainchaud)
  2. When Generating XML or API configuration. Process stops after find a zone with Acls configured. (Bug reported by kevin.thys)

 

Changed behaviour:

  1. MERGE. When merge a Group while devicegroup or vsys is equal "all" the duplicated objects will be merged and converted as Shared Objects. Now this process will convert all the members as shared as well recursively.

 

Version 3.0

Release day April 21th 2015 00

 

Fixes:

  1. When replace a service by an application on a group, we will clone the rule to add the new application and we will assign application-default as a service. (Bug reported by @Krisz)
  2. Tags. When add a new Tag if the description contains single quotes the entry was not saved. (Bug reported by kmurphy)
  3. SCREENOS: Nested Groups were not imported correctly. (Bug reported by vmejia)
  4. FORTINET: In some configurations we were missing the Services.
  5. CISCO: Automatically will change the protocol (other than TCP or UDP) to the app-ID in the security Rule. (Bug reported by cpainchaud)
  6. OUTPUT: If you Drag Objects into the Shared in your Base Configuration the Tool automatically will convert as a Shared. This function in the past only was changing the vsys to shared but was not converting the objects into the shared object table.

 

Changed behaviour:

  1. Auto Zone Assign: If there is no default-gw in the virtual router a message will raise to advise that. We need default-gw in order to calculate the zones.
  2. Convert Shared. Now selecting Address-Groups or Service-Groups to convert them into a Shared the process will automatically convert as Shared the Members as well. This is recursively for all the Members.
  3. CISCO: First time you import into the tool we will calculate the Zones based on access-list's direction (based on the access-group definition)  "in or out". If the access-group was configured on the interface as "in" the source zone will be forced to be the one defined on the access-group, in case the direction was "out" the destination Zone will be forced to be the the zone assigned on the access-group. This will be lost if the Auto Zone Assign Feature is used again. You can lock the Rules to prevent changes by this feature.
  4. CISCO: Interface Names. The tool will keep the original Interface name (like Vlan500). In this case the tool will migrate the interface as Vlan and Tag 500 automatically. Before the tool was using the nameif name.
  5. FILTERS: Now is possible to filter by elements that are "any" or "none" or "empty". (Recommendation made by kmurphy )
  6. Objects. Text Search. There is a button to clean the search criteria. There is no need to press enter after remove the criteria.

     Screen Shot 2015-04-20 at 17.46.24.png

 

Gui enhancements:

  1. From Objects (address and Services) the Field vsys can be resized. (Recommendation made by Anon1)
  2. Combo boxes for SOURCE and VSYS/DG now are larger

 

 

Version 3.0

Release day April 16th 2015 00

 

Fixes:

  1. When replace a service by an application on a rule with more than one service, we will clone the rule to add the new application and we will assign application-default as a service. (Bug reported by @Krisz)
  2. On consolidation. When you select one case the tool will keep your selection after reload the store. (Bug reported by kmurphy)
  3. Checkpoint. When read a routes file from a linux box we were reading incorrectly the network. (Bug reported by jdiaz)

 

Version 3.0

Release day April 15th 2015 00

 

Cisco Parser: Added the interface descriptions.

 

Fixes:

  1. Search inside the static routes into one virtual-router was showing a mix of routes from all the virtual-routers. Now is based on virtual-router_id.
  2. In the Output part, Sometimes when merge different projects into a Palo Alto Networks configuration on different virtual systems the objects in the vsys1 were lost.
  3. Security Rules Viewer. The order shown when shared rules, pre and post rules where in place was wrong. Was based on position, now is position + vsys/dg

 

Changed behaviour:

  1. Objects (Address and Services plus groups). You can select the vsys/dg to "ALL" and then convert all the selected objects into shared for the whole objects database for an specific Source.
  2. Objects (Address and Services plus groups). You can select the vsys/dg to "ALL" and then use the MERGE functions for whole objects database. Objects duplicated will be converted to Shared. Before you had to specify the vsys every time.

    

New Feature Added:

  1. Monitor. A new tab called Audit Logs to track the changes made by an user using the MT3
  2. Monitor. Added the option to generate PDF reports based on the logs.
  3. Monitor. Added two options to search into the logs, by message, by action and combining both 

    

 

 

Version 3.0

Release day April 10th 2015

 

New Feature Added:

  1. Server Profiles: Under the device tab you be able to see the Server Profiles. You cannot modify them but in case os duplicates after migrations you can merge the duplicated objects to keep only one before to export to your device or Panorama.

 

     Screen Shot 2015-04-10 at 18.06.02.png

 

Version 3.0

Release day April 9th 2015

 

We just released the first hotfix for the new Migration Tool 3.0.

 

Fixed Issues

  1. Prevent replace service by an application in NAT Rules.
  2. Added Application-default when service has been replaced by an application, only where no service found at the end of the process
  3. GUI enhancements. Added a new column in security policies to show for Panorama configurations the Shared, Pre, and Post Rules by colors.

Screen Shot 2015-04-09 at 18.27.47.png
Color Blue for Shared, Color Green for PreRules and red for Post rules. In order to show this select ALL in the DeviceGroup Combobox.

Show Shared rules in Panorama in the right order when enter in one devicegroup

  1. Prevent edit Shared rules from a devicegroup different from Shared
  2. Checkpoint: Interface parser support bond interfaces and translate to aggregate-ethernet
  3. Cisco NATs: Fixed issue importing nat from some objects. nat (zone1,zone2) static obj1

 

Known Issues

When importing Panorama some objects from Templates are missed. working to fix it this week

Sidewinder. the security Rules are not imported. Working in progress

 

How to Upgrade

From the main window go to Updates and click form the bottom bar on Update.

 

Enjoy!

Post any questions you may have to the discussion forum--thanks

Comments
by kmurphy
on ‎04-24-2015 07:35 AM

Are the hotfix notes provided for each release entirely inclusive of all changes that were made? Or are there potentially "minor bug fixes" that are not mentioned, but would still make it advantageous to upgrade?

Ignite 2019
Ask Questions Get Answers Join the Live Community
Labels
Contributors