ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

Showing results for 
Show  only  | Search instead for 
Did you mean: 

ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

L4 Transporter



I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so.  When I get to the merge step, the API results include a lot items for my other DGs/Templates.  I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).


Is this something of concern?  Are there certain things to be on the lookout for?

1 accepted solution

Accepted Solutions

Since this is push between Panorama and firewalls , I would suggest you open a case with Palo Alto network TAC to better assist you on this issue . 

Thank you ! 

View solution in original post


L6 Presenter


Atomic & Subatomic  should looks different , for example : If you are pushing the rules via API calls, when select "Atomic" and click on "Generate API requests", you will see list of API calls based on device group level , so you will see one API call for all security rules per Device Group and that one API call contains all the security rules. When you switch to "Subatomic" mode , click on"Generate API request" again, you should see one API call per security rule on the Device Group, if you have 100 rules in the device group, then you can click to pick and choose which rules out of 100 you want to push back to your PAN-OS device. 

Sorry for the delay - when I went back to my project it was all messed up - the ASA configuration was completely missing.


I've started over and have been working on it as I have time.  Hopefully I'll get back to the merge step today.

Okay, I've finally been able to get back to this.  I'm watching the 9 of 9 tutuorial video and I see something I missed before.  I didn't notice that while the Panorama Base Configuration appears on the Export right-pane it includes all DGs/Templates.


How do I limit it to just one DG/Template (we have each firewall or firewall cluster in its own DG/Template)?

You can drag the zone,  object and policy to the corresponding device group on the right , drag the interface  to the corresponding template on the right , then go to API export , click "generate API Request" and only push the config for the specific device group , for example , I can search my device group name -DataCenter , and it will shows all API calls related to that device group as attached screenshot. then you can click on each of them to send API calls to the Panorama. 


Screen Shot 2020-07-13 at 11.38.15 AM.png

Oh, that's not what the video said to do - it said to drag everything under vsys1 to the device | vsys1 on the right.  Now there is nothing on the left pane for the ASA.


Is there any way to undo this and try again or do I have to start over again?


If I have to start over again, is there any way to make a copy of the project so I don't have to keep re-doing the whole thing?

The video is for firewall to firewall migration, if you have panorama configuration as base config , you have option to drag and drop the objects to the corresponding device group and template , if you have not yet click on "merge", you can click on "reset" button, if merge is your last action, you can go to right upper corner and click on" Undo last change" Other than those conditions,  there is no undo function after you merged the config.  If you need to restart a new project, when you start a new project , before you ready to drag and drop the objects from source to base config , you can click on the right upper corner "Save snapshot" , then if something goes wrong, you can then load the saved snapshot back. 


Screen Shot 2020-07-13 at 1.15.25 PM.png

Screen Shot 2020-07-13 at 1.13.26 PM.png


Understood on the video being made for fw-to-fw - I just guessed wrong 😕


Unfortunately, I was fiddling around with the Merge option some more as the post-merge created duplicates so i messed up the last config change and can't undo.


Hopefully, 3rd time's a charm (or is it 4th - I've lost count, lol) 🙂

Luckily, I had a fairly recent snapshot that I had forgotten I had taken 🙂


So, I'm confused on what I'm supposed to do.  Here is what my setup looks like:





So, where do I put each element in the Source pane on the left in the Base Configuration pane on the right?

I tried ASA | Network to Panorama | Template | Firewall (CORE-FW) | Network.

And then I tried ASA | vsys1 | Objects to Panorama | DG | shared, ASA | vsys1 | Policies to Panorama | DG | Firewall (CORE-FW), and finally ASA | vsys1 | Zones to Panorama | Templates | CORE-FW | Nework.


I then hit Merge and go to the API Output Manager and there is no way to select individual DGs:



Do I just check the boxes of the items that are specific to the DG/Template I want to use?

Hello @justamoment 

After you merge the config , when you go to "API output manager", click on "Generate API request" the blue button first, and you should see multiple API calls shown in the screen,   Then Try put "Core-FW1" in the search box as attached in the screenshot and you will see all API calls related to Core-FW1 device group and template , you will always needs to push the shared first , the ID column shows the order of your API calls, please follow the order to push individual API calls. 


Screen Shot 2020-07-15 at 3.53.05 PM.png

Am I dragging & dropping the ASA source elements correctly onto the Base Config elements?

Yes, I believe what you described earlier are correct.  Shared objects goes to shared , policy for specific device group go to specific device group. network configuration go to template assume you are using panorama template for the network configuration. 

Okay, so did that, merged, generated API calls (Atomic), searched on CORE-FW1, checked all of the boxes, and sent API requests.


Only a Device Group hiearchy | readonly was processed and it didn't do anything.


I unchecked that one and re-ran and then it sent all of them and I see entries in the config log but when I look at the various GUI pages for that cluster there were no changes made.


Looking through a sub-atomic generate API calls, it looks like the merge didn't do anything.  I only see things that were already present on CORE-FW1 and none of the ASA configurations.

I am not sure why after you merged the config , you still not seeing the merged configs, please make sure the left side ASA config are already empty and you see all the configs are showing up on the right side in the PAN-OS config, then click merge, click regenerate API request , or you can export the config as xml format and verify the config is merged in the xml .  If you need further assistant , please write email to


Ugh, I figured out what was going on with the merge - check the boxes! I wasn't noticing that when I did the drag and drop of each item it wasn't also checking the box while I did it. <sigh>


Okay, so now I have what looks like a valid generate API requests output.


You mentioned earlier to send the shared items first.  How do I do that?  I searched on shared and received 185 pages at 50 entries per page.


After this question, if I have further issues I'll switch to email.

  • 1 accepted solution
  • 38 replies
  • 77 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!