ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

L4 Transporter

Hi

 

I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so.  When I get to the merge step, the API results include a lot items for my other DGs/Templates.  I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).

 

Is this something of concern?  Are there certain things to be on the lookout for?

38 REPLIES 38

You can update the panorama config by setting it to the new base config , but as you mentioned before you need to merge other xml with your production config , that’s why I suggested above approach . 

So, it's looking like my shared address/group objects from the ASA are all corrupted now.  I didn't scroll down the entire validation output but it's a very long list about 

 

rulebase -> security -> rules -> Rule-01 -> source 'object-XYZ' is not an allowed keyword
rulebase -> security -> rules -> Rule-01 -> source object-XYZ is an invalid ipv4/v6 address
rulebase -> security -> rules -> Rule-01 -> source object-XYZ range separator('-') not found
rulebase -> security -> rules -> Rule-01 -> source 'object-XYZ' is not a valid reference
rulebase -> security -> rules -> Rule-01 -> source is invalid

 

When I check the address object in the Panorama CLI, it looks like this (GUI is similar):

 

set shared address object-XYZ ip-netmask 1.2.3.4/32

 

Similarly, for a group object and its members, it all looks fine.

 

In the case of a group object, there were two that I deleted and re-created identically and then they worked.

Looking at the rule in question, the rule is fine - I don't see anything wrong with it.

 

I have confirmed it is only the ASA objects as found in merged ASA security & NAT rules.

Hello @justamoment 

 

First of all , verify the object object-XYZ is already exist in Panorama config and looks like you already verified the object is there .  2nd step will be you save a candidate config snapshot on Panorama GUI and export that candidate config out to your PC , rename the config file to different name instead of candidate config and re-import the candidate config back to panorama and load the config , then commit to see if it lets you successfully commit on panorama .  

 

 

Panorama committed just fine.  It's the Device Push (validation) that fails.  Is this still something to try?

Yes, please try the above step.  Thank you!

No change - it still fails a Device Push validation.

Since this is push between Panorama and firewalls , I would suggest you open a case with Palo Alto network TAC to better assist you on this issue . 

Thank you ! 

<sigh> It was caused by Apps/Threats being out of date.  Once I got it up to the current version it committed fine.

 

Now the real cleanup beings - thanks for all of your help!

  • 12723 Views
  • 38 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!