Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Can't import policy from firewall to Panorama using panxapi

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can't import policy from firewall to Panorama using panxapi

L3 Networker

I've already imported all objects successfully with panxapi (part of PAN-Perl), and have manually created all zones referenced in security policy. But for some reason I keep getting error code 12 when I try to import policy. I've tried the xpath syntax from the Panorama-Device-Migration guide and also variations on the xpath based off what I see when using the API browser. Any idea what's wrong?

This is the syntax from the conversion guide…

mint-alternate ~ # panxapi -h $pan -S ./temp_security.xml "/config/devices/entry/device-group/entry[@name='Primary_Burlington_PA5020']/pre-rulebase"

set: HASH(0x1dfa9b8) status="error" code="12"

Also tried variations on the xpath based off what I saw in the API browser….

panxapi -h $pan -S ./temp_security.xml "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Primary_Burlington_PA5020']/pre-rulebase/security"

set: HASH(0x33a5918) status="error" code="12"

mint-alternate ~ # panxapi -h $pan -S ./temp_security.xml "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Primary_Burlington_PA5020']/pre-rulebase"

set: HASH(0x2ac8a88) status="error" code="12"

temp_security.xml was produced with this command:

panxapi -h $fw -sxr "/config/devices/entry/vsys/entry/rulebase/security" > temp_security.xml

Thanks!

4 REPLIES 4

L3 Networker

the HASH() is because the response XML format is not recognized.

run panxapi with -x which will print the full XML response and see if

it shows clues.

panxapi -x -h $pan -S ./temp_security.xml "/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='Primary_Burlington_PA5020']/pre-rulebase"

Ok I'll try that, thanks. So is the problem more likely with the input file I'm using, or with the xpath I'm using in the command? I ask because of the description of error code 12 in the XML API guide....

12  Invalid object  Xpath or element values provided are not complete.

your show and set command (the one I quoted) look correct, so I think it may be something else.  need to see the error message in the XML response.

L1 Bithead

First thing to consider is that you need to be careful if trying to import the entire config as there's has to be a concept of pre and post policies in your migration XML.  Second, is more of a troubleshooting helper - enable debug (-D) in your commands to help drill down into where you're going wrong.  My initial guess would be that it's complaining about your import breaking existing validity or something along those lines...

Good luck!

Dave

  • 3786 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!