I have a Panorama configuration that I imported into the MT3, which contains a single Device Group with all device group post-rules. Is it possible to selectively convert/move some of those rules to Shared post-rules? I see the ability to convert objects to Shared objects, but I don't see how this can be done with policies/rules.
if you are 100% sure that objects used by your rules are shared (or use MT3 to move them to shared) then you can use third party scripts like mine (yes it's an advertisement :smileywink:) : https://live.paloaltonetworks.com/docs/DOC-9345
action 'actions=copy:shared' and you might want to use 'filters' to select the rules you are interested in or just copy them all and then delete the ones you don't need.
You can also edit XML config file and move what you need, it's a trick admins use and that takes a few minutes.
One tool that's really come in handy for me is using the API and the "load config partial" command. I was trying to use MT3 to convert policies in a PAN-OS config with multiple VSYS' to Panorama. I wanted to convert all services and addresses to shared, and could not get the shared objects to merge to my Panorama base configuration. Using load config partial saved the day, and I just completed moving the whole configuration using that tool.
I tried to use "load config partial" from the CLI for this but had no luck. the command executed successfully but the rules didn't end up in the new candidate config. Maybe my xpath values were wrong? If you have a minute, could you please post an example command with the xpaths included that would move rules from an imported config file to that shared rule base of the current candidate configuration? It would be much appreciated.
Or, and this would be even more useful for me at least, if someone could provide an explanation of how to derive the xpath for a given piece of configuration - particularly in a config that was just imported but not loaded. I had trouble figuring out where exactly my rules were, from an xpath perspective, in the config file that I imported.
Here is an example command I used during a migration from a local configuration to a shared group in Panorama.
Snapshot the local configuration and export the file Snapshot-import-2014-12-11
import the file into Panorama
GROUP-NAME is your device group name for the shared rules
load config partial from Snapshot-import-2014-12-11 from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='GROUP-NAME']/pre-rulebase/security mode merge
Remember that the security policies are dependent on the existence of the address objects & groups, service objects and groups, custom applications and profiles that are used in the rules which all must exist in Panorama as well.
in the case of rules I suppose it cannot work because rules cannot have same name while it's possible with objects. It's not an issue if you are moving rules : first you delete, second you do 'load config partial'
if you use my script it should take care of (report issue if not)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!