Migration Tool and Panorama Device Group and Template

L0 Member

Migration Tool and Panorama Device Group and Template

Hello,

 

I have a customer who is migrating a whole bunch of ASA’s to PANOS. I am testing the MTv3.3.5 with Panorama. The goal is to convert the ASA configs and import them into Panorama as DG and Templates. These do NOT have PANOS devices yet assigned to them. We want to build the configs in Panorama and as the PAN devices come online, we simply push the DG and Template to the non-configured firewall.

 

1. I converted the ASA config to PANOS.

2. I created a blank DG and Template in Panorama.

3. I bought the entire Panorama config into MT via API.

4. I merged the converted ASA config into the blank DG and blank Template inside the MT.

5. Using a sub-atomic API call, I was able to publish the DG configuration back into Panorama for the converted ASA. The policy and object populated without any issue.

6. Here is the problem. Even though I pushed the template configuration from the MT to the blank Template on Panorama, it does not populate. None of the Interface, VR or Zones are populating. Do I need an actual device assigned to the template before this works? Anyone run into this before?

 

 

gfalkowski@paloaltonetworks.com
L7 Applicator

Re: Migration Tool and Panorama Device Group and Template

The template was created from the MT? If yes Have you created a new vsys1 inside the Template? Is where you have to place the Zones for instance... But I will check...

L0 Member

Re: Migration Tool and Panorama Device Group and Template

The template was created in Panorama (as was the DG).   The template was blank and did not have a VSYS or Device associated with it in Panorama.  WHen I brought the Panorama config into MT, I then merged the config, where a VSYS does exist.  Actually, I just noticed an error in the API Output manager. 

 

<response status="error" code="12"><msg><line><line><![CDATA[ test_template -> config -> devices -> localhost.localdomain -> vsys -> vsys1 -> zone -> Outside -> network -> layer3 'ethernet1/1.24' is not a valid reference]]></line><line><![CDATA[ test_template -> config -> devices -> localhost.localdomain -> vsys -> vsys1 -> zone -> Outside -> network -> layer3 is invalid]]></line></line></msg></response>

 

Not sure what this means.  I have other sub-interfaces on ethernet 1/2 that worked fine. 

gfalkowski@paloaltonetworks.com
Highlighted
L7 Applicator

Re: Migration Tool and Panorama Device Group and Template

Hi,

 

Maybe do you have the interface 1/1.46 but its created the interface 1/1 ?? you can create one from the tool as well, maybe the parent interface is missed? Can you check that please?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!