ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

cancel
Showing results for 
Search instead for 
Did you mean: 

ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

L3 Networker

Hi

 

I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so.  When I get to the merge step, the API results include a lot items for my other DGs/Templates.  I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).

 

Is this something of concern?  Are there certain things to be on the lookout for?

38 REPLIES 38

Check if the object is there in panorama , if not , check to see if it’s in expedition. If it is , re-pushed the address objects again via API calls. 

Sorry, what I meant is that since I first started this Project iteration, Panorama has been updated.  Apparently, I missed a step in updating Expedition for the changes.  I did the Devices | Contents | Retrieve Contents but I seem to recall that I might need to do something else in the Project itself like re-import Panorama.

Re-import Panorama in the Project :)

Oh, I take that back somewhat - that created a new XML choice in the lower-right corner.  Is there anyway to get rid of the old one?

When i go to the Export page, only the old XML file is present.  I don't see a way to switch it to the newer one.

The old configs will always there unless you create a new project. You could unset the base config and set the new one to be base config on the right side but whatever you worked on in the old config won’t show up in the new base config . 

. Please see attached screenshot, go to right side base config panel , expand the base config , you will see the current base config you are using , and click on "Unset base config " on the bottom , the config will then move back to left side .  you should now see at least two panorama configs on the left side , one is the newer one you want to set as base config , then select that newer version of config and click the blue button "Set base config" , now you should see the base config changed to the latest version. But whatever you worked on before against the old base config will be gone.  

 

Screen Shot 2020-07-17 at 10.12.16 AM.png

Never mind - I figured that out.

 

Highlight PAN Base Config on right, click RED Unset Base Config button.  This moves it to the left side.

Check box for newer PAN XML on left, click BLUE Set Base Config button.

Check box for older PAN XML on left, click TRASHCAN icon to get rid of it.

Oops, should have refreshed before replying.

 

makes sense although i already did it.  Object-wise, there isn't much to worry about in our Panorama configuration - just a duplicate address group.

 

So if I did need to keep an edited XML, would I first merge the newer XML and then merge the ASA config?

Duplicate address group can be fixed in Expedition, you can go to Dashboard -> address group-> duplicated , click on the red number , it will take you to the address group object panel , you can then select the pair of duplicated address group right click , select merge to merge them. 

 

It is not good idea to merge two PAN-OS configs that's mostly are duplicated, I would suggest you create a new project , import your edited xml file into the project and add your panorama device to the project but don't import the panorama production config in the project.  Click on generate API request , for example , if you want to merge the address objects and address group objects from the edited XML to your production Panorama , you can select only "address" objects and changed the API call function to "Set" as shown in screenshot , when you changed it from Edit to set , you will need to remove the first <address> and last  </address> in the element filed , then click on send API calls to your production panorama.  Please save a snapshot on your production panorama before you proceed any API calls from Expedition.

 

Screen Shot 2020-07-17 at 10.36.00 AM.png

If all those are too complicated , you could also login to  Panorama CLI , merge the objects using Load config partial command as shown in option 3 of the below link: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall...

 

Make sure you do a  mode "merge".   for example if you are merging the address objects , your command will look like below:

 

 

load config partial mode merge from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='yourDGname']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='yourDGname']/address from  Youredit.xml 

 

You will need to import your edit xml into Panorama first then issue above command , it will then merge specific Device group address object from your edit xml to the corresponding device group on production panorama.   If it's shared address objects , you will change the xpath to /config/shared/address

 

Hope this helps!

 

 

 

 

 

So, is there a way to update a Panorama (or firewall) XML or does one have to start a new project?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!