Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

L4 Transporter

Hi

 

I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so.  When I get to the merge step, the API results include a lot items for my other DGs/Templates.  I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).

 

Is this something of concern?  Are there certain things to be on the lookout for?

38 REPLIES 38

If you have objects that's in shared , for example address objects or service object that is in shared besides the pre-defined one, you will need to push those shared address/service objects before you push the device group level objects , if you don't have any thing in shared , you don't need to push the shared objects. when you go to objects, you can see the object is in shared or not, if it's in shared , it will show vsys name as "shared" instead of vsys1 or your device group name. Hope this is clear. 

Understood but if I have shared objects, how do i find those to send those API calls first?

 

(I did some edits and then removed them because I wasn't looking in the right place)

1. If you are asking how to move the address objects from vsys1 to shared, you can right click on the object and select "Convert to Shared" as shown in screenshot:

 

lychiang_0-1594941537745.png

 

2. How to push those shared objects in API calls, you can go to "Address" section and search "shared", you will see API calls for pushing shared address objects list as below.  

 

Screen Shot 2020-07-16 at 4.14.50 PM.png

 

 

So far things you've pointed out have helped immensely.  After a number of iterations I'm getting a better handle on how this all works.

 

I still have at least one more iteration as I've been getting a lot of send API command errors.  It would be nice if the sends would just continue on and report any errors found rather than just stopping at the first one.

I spoke too soon - I just tried to commit to Panorama to save my work until morning and I'm gettting 30 validation errors.  I think I might know why it's happening though.  It looks like all of them are objects that disappeared.  I bet I didn't update Panorama correctly in Expedition after recent changes.  I'll have to re-watch that video and test it out.

Check if the object is there in panorama , if not , check to see if it’s in expedition. If it is , re-pushed the address objects again via API calls. 

Sorry, what I meant is that since I first started this Project iteration, Panorama has been updated.  Apparently, I missed a step in updating Expedition for the changes.  I did the Devices | Contents | Retrieve Contents but I seem to recall that I might need to do something else in the Project itself like re-import Panorama.

Re-import Panorama in the Project 🙂

Oh, I take that back somewhat - that created a new XML choice in the lower-right corner.  Is there anyway to get rid of the old one?

When i go to the Export page, only the old XML file is present.  I don't see a way to switch it to the newer one.

The old configs will always there unless you create a new project. You could unset the base config and set the new one to be base config on the right side but whatever you worked on in the old config won’t show up in the new base config . 

. Please see attached screenshot, go to right side base config panel , expand the base config , you will see the current base config you are using , and click on "Unset base config " on the bottom , the config will then move back to left side .  you should now see at least two panorama configs on the left side , one is the newer one you want to set as base config , then select that newer version of config and click the blue button "Set base config" , now you should see the base config changed to the latest version. But whatever you worked on before against the old base config will be gone.  

 

Screen Shot 2020-07-17 at 10.12.16 AM.png

Never mind - I figured that out.

 

Highlight PAN Base Config on right, click RED Unset Base Config button.  This moves it to the left side.

Check box for newer PAN XML on left, click BLUE Set Base Config button.

Check box for older PAN XML on left, click TRASHCAN icon to get rid of it.

Oops, should have refreshed before replying.

 

makes sense although i already did it.  Object-wise, there isn't much to worry about in our Panorama configuration - just a duplicate address group.

 

So if I did need to keep an edited XML, would I first merge the newer XML and then merge the ASA config?

Duplicate address group can be fixed in Expedition, you can go to Dashboard -> address group-> duplicated , click on the red number , it will take you to the address group object panel , you can then select the pair of duplicated address group right click , select merge to merge them. 

 

It is not good idea to merge two PAN-OS configs that's mostly are duplicated, I would suggest you create a new project , import your edited xml file into the project and add your panorama device to the project but don't import the panorama production config in the project.  Click on generate API request , for example , if you want to merge the address objects and address group objects from the edited XML to your production Panorama , you can select only "address" objects and changed the API call function to "Set" as shown in screenshot , when you changed it from Edit to set , you will need to remove the first <address> and last  </address> in the element filed , then click on send API calls to your production panorama.  Please save a snapshot on your production panorama before you proceed any API calls from Expedition.

 

Screen Shot 2020-07-17 at 10.36.00 AM.png

If all those are too complicated , you could also login to  Panorama CLI , merge the objects using Load config partial command as shown in option 3 of the below link: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall...

 

Make sure you do a  mode "merge".   for example if you are merging the address objects , your command will look like below:

 

 

load config partial mode merge from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='yourDGname']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='yourDGname']/address from  Youredit.xml 

 

You will need to import your edit xml into Panorama first then issue above command , it will then merge specific Device group address object from your edit xml to the corresponding device group on production panorama.   If it's shared address objects , you will change the xpath to /config/shared/address

 

Hope this helps!

 

 

 

 

 

So, is there a way to update a Panorama (or firewall) XML or does one have to start a new project?

  • 14641 Views
  • 38 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!