Migration Tool Discussions (old)

Reply
L5 Sessionator
Posts: 587
Registered: ‎01-26-2011
Accepted Solution

Migration from CP R77.10: address names empty, address groups and objects in them correct

Hello.

 

I'm having a strange issue; I'm migrating from CP R77.10, mgmt and fw on seperate devices.

Every combination of rules and object files i try importing in MT I get similar results:

- policy is copied ok, 

- all names for address objects are empty, address groups names are fine, names of objects in address groups are also fine

- all names for service objects are empty, service groups names are fine, names of services in service groups are also fine 

 

Anyone had such an issue? I'm trying different combinations of rules and object files but without any success so far.

 

 

 

L7 Applicator
Posts: 913
Registered: ‎03-22-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

Hi,

 

Can you send your objects_5_0.C to fwmigrate@paloaltonetworks.com? Then we can take a look to figure what's happening.

 

Thanks

L5 Sessionator
Posts: 587
Registered: ‎01-26-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

ignore this, I managed to succesfully import the configuration

I could swear I tried this combination before already :)

L5 Sessionator
Posts: 587
Registered: ‎01-26-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

Sorry, didn't see reply till now. It seems ok now, must have been wrong combination earlier. Thanx for reply!

L7 Applicator
Posts: 913
Registered: ‎03-22-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

lol :-) Thanks for the update.

L5 Sessionator
Posts: 587
Registered: ‎01-26-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

How do I merge CP iported config into Panorama Device group? I've imported CP config first and then uploaded Panorma base config. On Export page i have Panorama config as base configuration (output) and CP as Source configurations (inputs). But when I drage whole CP config into certain Device group only adresses, address-groups, services, service-groups and tags appear in output.

L5 Sessionator
Posts: 587
Registered: ‎01-26-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

Ok, with a bit of testing I'd say this is how you should merge:

- drag objects and policies into device group

- drag zones into template->device->vsysX

- drag interfaces and VRs into template->Network

Is this correct?

 

 

L7 Applicator
Posts: 913
Registered: ‎03-22-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

That's correct. Zones needs to be imported into one VSYS inside the template, objects and rules under the DG and the Interfaces, VR under the template as well

 

Regards

L5 Sessionator
Posts: 587
Registered: ‎01-26-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

2 more questions, please.

- I created aggregated interface in MT for Panorama config. Do I need to create them on firewall first as well?

- I renamed security zones in MT. The changes were applied to FW policy, but not to NAT policy. How do I update zone name chnages to NAT policy as well?

 

Thanx in advance.

 

 

Highlighted
L7 Applicator
Posts: 913
Registered: ‎03-22-2011

Re: Migration from CP R77.10: address names empty, address groups and objects in them correct

The changes should applied to Nat Rules as well, Maybe the store has not been refreshed. You can do by pressing from the Nat Rules Grid the refresh button located in the bottom bar close to the selection to how many rules you want to see (by default 50) just click refresh and let me know please.

 

For the interfaces if you are using Templates you can do from the template, is not necesary to create the interfaces in your firewall! 

 

Regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!