How to convert DG rules to Shared rules

Reply
L3 Networker

How to convert DG rules to Shared rules

I have a Panorama configuration that I imported into the MT3, which contains a single Device Group with all device group post-rules. Is it possible to selectively convert/move some of those rules to Shared post-rules? I see the ability to convert objects to Shared objects, but I don't see how this can be done with policies/rules.

Thanks

Tags (1)
L7 Applicator

Re: How to convert DG rules to Shared rules

Hi,

Not yet but this is in our TODO list :-) Thanks to bring this in.

L4 Transporter

Re: How to convert DG rules to Shared rules

Hi,

if you are 100% sure that objects used by your rules are shared (or use MT3 to move them to shared) then you can use third party scripts like mine (yes it's an advertisement :smileywink:) : https://live.paloaltonetworks.com/docs/DOC-9345

action 'actions=copy:shared' and you might want to use 'filters' to select the rules you are interested in or just copy them all and then delete the ones you don't need.

You can also edit XML config file and move what you need, it's a trick admins use and that takes a few minutes.

L3 Networker

Re: How to convert DG rules to Shared rules

Thank you both!

L3 Networker

Re: How to convert DG rules to Shared rules

One tool that's really come in handy for me is using the API and the "load config partial" command.  I was trying to use MT3 to convert policies in a PAN-OS config with multiple VSYS' to Panorama.  I wanted to convert all services and addresses to shared, and could not get the shared objects to merge to my Panorama base configuration.  Using load config partial saved the day, and I just completed moving the whole configuration using that tool.

L3 Networker

Re: How to convert DG rules to Shared rules

I tried to use "load config partial" from the CLI for this but had no luck. the command executed successfully but the rules didn't end up in the new candidate config. Maybe my xpath values were wrong? If you have a minute, could you please post an example command with the xpaths included that would move rules from an imported config file to that shared rule base of the current candidate configuration? It would be much appreciated.

Or, and this would be even more useful for me at least, if someone could provide an explanation of how to derive the xpath for a given piece of configuration - particularly in a config that was just imported but not loaded. I had trouble figuring out where exactly my rules were, from an xpath perspective, in the config file that I imported.

Thanks all

L7 Applicator

Re: How to convert DG rules to Shared rules

Here is an example command I used during a migration from a local configuration to a shared group in Panorama.

Snapshot the local configuration and export the file Snapshot-import-2014-12-11

import the file into Panorama

GROUP-NAME is your device group name for the shared rules

load config partial from Snapshot-import-2014-12-11 from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='GROUP-NAME']/pre-rulebase/security mode merge


Remember that the security policies are dependent on the existence of the address objects & groups, service objects and groups, custom applications and profiles that are used in the rules which all must exist in Panorama as well.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

Re: How to convert DG rules to Shared rules

in the case of rules I suppose it cannot work because rules cannot have same name while it's possible with objects. It's not an issue if you are moving rules : first you delete, second you do 'load config partial'

if you use my script it should take care of (report issue if not)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!