06-12-2020 01:58 PM
I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so. When I get to the merge step, the API results include a lot items for my other DGs/Templates. I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).
Is this something of concern? Are there certain things to be on the lookout for?
07-17-2020 03:28 PM
Since this is push between Panorama and firewalls , I would suggest you open a case with Palo Alto network TAC to better assist you on this issue .
Thank you !
06-12-2020 03:34 PM
Atomic & Subatomic should looks different , for example : If you are pushing the rules via API calls, when select "Atomic" and click on "Generate API requests", you will see list of API calls based on device group level , so you will see one API call for all security rules per Device Group and that one API call contains all the security rules. When you switch to "Subatomic" mode , click on"Generate API request" again, you should see one API call per security rule on the Device Group, if you have 100 rules in the device group, then you can click to pick and choose which rules out of 100 you want to push back to your PAN-OS device.
06-22-2020 11:30 AM
Sorry for the delay - when I went back to my project it was all messed up - the ASA configuration was completely missing.
I've started over and have been working on it as I have time. Hopefully I'll get back to the merge step today.
07-13-2020 11:30 AM
Okay, I've finally been able to get back to this. I'm watching the 9 of 9 tutuorial video and I see something I missed before. I didn't notice that while the Panorama Base Configuration appears on the Export right-pane it includes all DGs/Templates.
How do I limit it to just one DG/Template (we have each firewall or firewall cluster in its own DG/Template)?
07-13-2020 11:41 AM - edited 07-16-2020 02:22 PM
You can drag the zone, object and policy to the corresponding device group on the right , drag the interface to the corresponding template on the right , then go to API export , click "generate API Request" and only push the config for the specific device group , for example , I can search my device group name -DataCenter , and it will shows all API calls related to that device group as attached screenshot. then you can click on each of them to send API calls to the Panorama.
07-13-2020 12:08 PM
Oh, that's not what the video said to do - it said to drag everything under vsys1 to the device | vsys1 on the right. Now there is nothing on the left pane for the ASA.
Is there any way to undo this and try again or do I have to start over again?
If I have to start over again, is there any way to make a copy of the project so I don't have to keep re-doing the whole thing?
07-13-2020 01:19 PM - edited 07-13-2020 01:20 PM
The video is for firewall to firewall migration, if you have panorama configuration as base config , you have option to drag and drop the objects to the corresponding device group and template , if you have not yet click on "merge", you can click on "reset" button, if merge is your last action, you can go to right upper corner and click on" Undo last change" Other than those conditions, there is no undo function after you merged the config. If you need to restart a new project, when you start a new project , before you ready to drag and drop the objects from source to base config , you can click on the right upper corner "Save snapshot" , then if something goes wrong, you can then load the saved snapshot back.
07-13-2020 01:42 PM - edited 07-13-2020 01:43 PM
Understood on the video being made for fw-to-fw - I just guessed wrong 😕
Unfortunately, I was fiddling around with the Merge option some more as the post-merge created duplicates so i messed up the last config change and can't undo.
Hopefully, 3rd time's a charm (or is it 4th - I've lost count, lol) 🙂
07-15-2020 03:11 PM
Luckily, I had a fairly recent snapshot that I had forgotten I had taken 🙂
So, I'm confused on what I'm supposed to do. Here is what my setup looks like:
So, where do I put each element in the Source pane on the left in the Base Configuration pane on the right?
I tried ASA | Network to Panorama | Template | Firewall (CORE-FW) | Network.
And then I tried ASA | vsys1 | Objects to Panorama | DG | shared, ASA | vsys1 | Policies to Panorama | DG | Firewall (CORE-FW), and finally ASA | vsys1 | Zones to Panorama | Templates | CORE-FW | Nework.
I then hit Merge and go to the API Output Manager and there is no way to select individual DGs:
Do I just check the boxes of the items that are specific to the DG/Template I want to use?
07-15-2020 03:55 PM
After you merge the config , when you go to "API output manager", click on "Generate API request" the blue button first, and you should see multiple API calls shown in the screen, Then Try put "Core-FW1" in the search box as attached in the screenshot and you will see all API calls related to Core-FW1 device group and template , you will always needs to push the shared first , the ID column shows the order of your API calls, please follow the order to push individual API calls.
07-16-2020 02:17 PM
Am I dragging & dropping the ASA source elements correctly onto the Base Config elements?
07-16-2020 02:21 PM
Yes, I believe what you described earlier are correct. Shared objects goes to shared , policy for specific device group go to specific device group. network configuration go to template assume you are using panorama template for the network configuration.
07-16-2020 03:24 PM - edited 07-16-2020 03:27 PM
Okay, so did that, merged, generated API calls (Atomic), searched on CORE-FW1, checked all of the boxes, and sent API requests.
Only a Device Group hiearchy | readonly was processed and it didn't do anything.
I unchecked that one and re-ran and then it sent all of them and I see entries in the config log but when I look at the various GUI pages for that cluster there were no changes made.
Looking through a sub-atomic generate API calls, it looks like the merge didn't do anything. I only see things that were already present on CORE-FW1 and none of the ASA configurations.
07-16-2020 03:31 PM
I am not sure why after you merged the config , you still not seeing the merged configs, please make sure the left side ASA config are already empty and you see all the configs are showing up on the right side in the PAN-OS config, then click merge, click regenerate API request , or you can export the config as xml format and verify the config is merged in the xml . If you need further assistant , please write email to email@example.com
07-16-2020 03:45 PM - edited 07-16-2020 03:46 PM
Ugh, I figured out what was going on with the merge - check the boxes! I wasn't noticing that when I did the drag and drop of each item it wasn't also checking the box while I did it. <sigh>
Okay, so now I have what looks like a valid generate API requests output.
You mentioned earlier to send the shared items first. How do I do that? I searched on shared and received 185 pages at 50 entries per page.
After this question, if I have further issues I'll switch to email.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!