ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

Understood but if I have shared objects, how do i find those to send those API calls first?

(I did some edits and then removed them because I wasn't looking in the right place)

1. If you are asking how to move the address objects from vsys1 to shared, you can right click on the object and select "Convert to Shared" as shown in screenshot:

2. How to push those shared objects in API calls, you can go to "Address" section and search "shared", you will see API calls for pushing shared address objects list as below.  

So far things you've pointed out have helped immensely.  After a number of iterations I'm getting a better handle on how this all works.

I still have at least one more iteration as I've been getting a lot of send API command errors.  It would be nice if the sends would just continue on and report any errors found rather than just stopping at the first one.

I spoke too soon - I just tried to commit to Panorama to save my work until morning and I'm gettting 30 validation errors.  I think I might know why it's happening though.  It looks like all of them are objects that disappeared.  I bet I didn't update Panorama correctly in Expedition after recent changes.  I'll have to re-watch that video and test it out.

Check if the object is there in panorama , if not , check to see if it’s in expedition. If it is , re-pushed the address objects again via API calls. 

Sorry, what I meant is that since I first started this Project iteration, Panorama has been updated.  Apparently, I missed a step in updating Expedition for the changes.  I did the Devices | Contents | Retrieve Contents but I seem to recall that I might need to do something else in the Project itself like re-import Panorama.

Re-import Panorama in the Project 🙂

Oh, I take that back somewhat - that created a new XML choice in the lower-right corner.  Is there anyway to get rid of the old one?

When i go to the Export page, only the old XML file is present.  I don't see a way to switch it to the newer one.

The old configs will always there unless you create a new project. You could unset the base config and set the new one to be base config on the right side but whatever you worked on in the old config won’t show up in the new base config . 

. Please see attached screenshot, go to right side base config panel , expand the base config , you will see the current base config you are using , and click on "Unset base config " on the bottom , the config will then move back to left side .  you should now see at least two panorama configs on the left side , one is the newer one you want to set as base config , then select that newer version of config and click the blue button "Set base config" , now you should see the base config changed to the latest version. But whatever you worked on before against the old base config will be gone.  

Never mind - I figured that out.

Highlight PAN Base Config on right, click RED Unset Base Config button.  This moves it to the left side.

Check box for newer PAN XML on left, click BLUE Set Base Config button.

Check box for older PAN XML on left, click TRASHCAN icon to get rid of it.

Oops, should have refreshed before replying.

makes sense although i already did it.  Object-wise, there isn't much to worry about in our Panorama configuration - just a duplicate address group.

So if I did need to keep an edited XML, would I first merge the newer XML and then merge the ASA config?

Duplicate address group can be fixed in Expedition, you can go to Dashboard -> address group-> duplicated , click on the red number , it will take you to the address group object panel , you can then select the pair of duplicated address group right click , select merge to merge them. 

It is not good idea to merge two PAN-OS configs that's mostly are duplicated, I would suggest you create a new project , import your edited xml file into the project and add your panorama device to the project but don't import the panorama production config in the project.  Click on generate API request , for example , if you want to merge the address objects and address group objects from the edited XML to your production Panorama , you can select only "address" objects and changed the API call function to "Set" as shown in screenshot , when you changed it from Edit to set , you will need to remove the first <address> and last  </address> in the element filed , then click on send API calls to your production panorama.  Please save a snapshot on your production panorama before you proceed any API calls from Expedition.

If all those are too complicated , you could also login to  Panorama CLI , merge the objects using Load config partial command as shown in option 3 of the below link: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall...

Make sure you do a  mode "merge".   for example if you are merging the address objects , your command will look like below:

You will need to import your edit xml into Panorama first then issue above command , it will then merge specific Device group address object from your edit xml to the corresponding device group on production panorama.   If it's shared address objects , you will change the xpath to /config/shared/address

Hope this helps!

So, is there a way to update a Panorama (or firewall) XML or does one have to start a new project?