ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

Sorry for the delay - when I went back to my project it was all messed up - the ASA configuration was completely missing.

I've started over and have been working on it as I have time.  Hopefully I'll get back to the merge step today.

Okay, I've finally been able to get back to this.  I'm watching the 9 of 9 tutuorial video and I see something I missed before.  I didn't notice that while the Panorama Base Configuration appears on the Export right-pane it includes all DGs/Templates.

How do I limit it to just one DG/Template (we have each firewall or firewall cluster in its own DG/Template)?

You can drag the zone,  object and policy to the corresponding device group on the right , drag the interface  to the corresponding template on the right , then go to API export , click "generate API Request" and only push the config for the specific device group , for example , I can search my device group name -DataCenter , and it will shows all API calls related to that device group as attached screenshot. then you can click on each of them to send API calls to the Panorama. 

Oh, that's not what the video said to do - it said to drag everything under vsys1 to the device | vsys1 on the right.  Now there is nothing on the left pane for the ASA.

Is there any way to undo this and try again or do I have to start over again?

If I have to start over again, is there any way to make a copy of the project so I don't have to keep re-doing the whole thing?

The video is for firewall to firewall migration, if you have panorama configuration as base config , you have option to drag and drop the objects to the corresponding device group and template , if you have not yet click on "merge", you can click on "reset" button, if merge is your last action, you can go to right upper corner and click on" Undo last change" Other than those conditions,  there is no undo function after you merged the config.  If you need to restart a new project, when you start a new project , before you ready to drag and drop the objects from source to base config , you can click on the right upper corner "Save snapshot" , then if something goes wrong, you can then load the saved snapshot back. 

Understood on the video being made for fw-to-fw - I just guessed wrong 😕

Unfortunately, I was fiddling around with the Merge option some more as the post-merge created duplicates so i messed up the last config change and can't undo.

Hopefully, 3rd time's a charm (or is it 4th - I've lost count, lol) 🙂

Luckily, I had a fairly recent snapshot that I had forgotten I had taken 🙂

So, I'm confused on what I'm supposed to do.  Here is what my setup looks like:

So, where do I put each element in the Source pane on the left in the Base Configuration pane on the right?

I tried ASA | Network to Panorama | Template | Firewall (CORE-FW) | Network.

And then I tried ASA | vsys1 | Objects to Panorama | DG | shared, ASA | vsys1 | Policies to Panorama | DG | Firewall (CORE-FW), and finally ASA | vsys1 | Zones to Panorama | Templates | CORE-FW | Nework.

I then hit Merge and go to the API Output Manager and there is no way to select individual DGs:

Do I just check the boxes of the items that are specific to the DG/Template I want to use?

Hello @justamoment 

After you merge the config , when you go to "API output manager", click on "Generate API request" the blue button first, and you should see multiple API calls shown in the screen,   Then Try put "Core-FW1" in the search box as attached in the screenshot and you will see all API calls related to Core-FW1 device group and template , you will always needs to push the shared first , the ID column shows the order of your API calls, please follow the order to push individual API calls. 

Am I dragging & dropping the ASA source elements correctly onto the Base Config elements?

Yes, I believe what you described earlier are correct.  Shared objects goes to shared , policy for specific device group go to specific device group. network configuration go to template assume you are using panorama template for the network configuration. 

Okay, so did that, merged, generated API calls (Atomic), searched on CORE-FW1, checked all of the boxes, and sent API requests.

Only a Device Group hiearchy | readonly was processed and it didn't do anything.

I unchecked that one and re-ran and then it sent all of them and I see entries in the config log but when I look at the various GUI pages for that cluster there were no changes made.

Looking through a sub-atomic generate API calls, it looks like the merge didn't do anything.  I only see things that were already present on CORE-FW1 and none of the ASA configurations.

I am not sure why after you merged the config , you still not seeing the merged configs, please make sure the left side ASA config are already empty and you see all the configs are showing up on the right side in the PAN-OS config, then click merge, click regenerate API request , or you can export the config as xml format and verify the config is merged in the xml .  If you need further assistant , please write email to fwmigrate@paloaltonetworks.com

Ugh, I figured out what was going on with the merge - check the boxes! I wasn't noticing that when I did the drag and drop of each item it wasn't also checking the box while I did it. <sigh>

Okay, so now I have what looks like a valid generate API requests output.

You mentioned earlier to send the shared items first.  How do I do that?  I searched on shared and received 185 pages at 50 entries per page.

After this question, if I have further issues I'll switch to email.