Expedition Articles
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Featured Article
Some times we need to reduce the amount of Objects to be migrated or just for optimization and there is one technique that can help us to reduce objects.    In this case we will search if in our config exist any Address-Group with just one Member. If exist we will replace the Address-Group by the Member in any place we find it used. It can be used as part of another Address-Group or can be used as source or destination in any Policy.   Procedure:   Search for Address-Groups with one Member: Go to Objects and point your mouse on the Address-Group Panel and over one Address-Group right-click with your mouse and select Predefined Filter and select the (Predefined) Groups with one Member.   Select the Tab TOOLS. From the right Panel select SEARCH & REPLACE.  Expedition will show you where those Address-Groups where used. Select from Address-Groups and Policies where they were used and click on Add to Replace   Now click on the Tab called REPLACE, now for all the objects selected we will apply on the option Replace by the option Members and click on the Replace All button at the bottom of the page - right.      After the action completes we can go back to OBJECTS and check if those Address-Groups now are shown as unused. In case afirmative you can then safely remove them.       
View full article
Some times we need to reduce the amount of Objects to be migrated or just for optimization and there is one technique that can help us to reduce objects   Its common when we have used Expedition to migrate a configuration from CISCO or FORTINET to have address objects named as H-X.X.X.X or N-X.X.X.X-XX or even if the name was just an IP Address, but they were created as Address Object and count as Object. There is one function inside Expedition to convert them as IP Address that will be only Used on Rules as IP Address or IP Ranges hard-coded as Source or Destination on Rules. So they will not be used as Address Objects anymore.   This has pros and cons but if our Goal is reduce the amount of Address Objects this can help us.   Search from OBJECTS -> ADDRESS with right-click in one Address select the Predefined Filter called "Name is IP address". This will search the Address where the name is an IP Address.         We can add more filters to this process, Select the Filters Options and add all the Address where the name starts with H- for example, and the objects that starts with N- and the objects that starts with RANGE-, put the focus only on Address.         After Run SQL select the Address you want to transform to an IP Address and right-click with your mouse over one of the selected Address and select the option "Transform" -> "Object To IpAddress" and automatically all those objects will be renamed with the IP or Range Address (netmasks will be added as well in case are not /32) and will be marked internally as "dummy" objects, those objects will not be considered at the time to generate the XML or API Calls.       You can check before to transform them as IP Address if they are part of any group by going to TOOLS and SEARCH & REPLACE.                 
View full article
  • 54 Posts
  • 279 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Top Contributors