I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so. When I get to the merge step, the API results include a lot items for my other DGs/Templates. I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).
Is this something of concern? Are there certain things to be on the lookout for?
Okay, so did that, merged, generated API calls (Atomic), searched on CORE-FW1, checked all of the boxes, and sent API requests.
Only a Device Group hiearchy | readonly was processed and it didn't do anything.
I unchecked that one and re-ran and then it sent all of them and I see entries in the config log but when I look at the various GUI pages for that cluster there were no changes made.
Looking through a sub-atomic generate API calls, it looks like the merge didn't do anything. I only see things that were already present on CORE-FW1 and none of the ASA configurations.
I am not sure why after you merged the config , you still not seeing the merged configs, please make sure the left side ASA config are already empty and you see all the configs are showing up on the right side in the PAN-OS config, then click merge, click regenerate API request , or you can export the config as xml format and verify the config is merged in the xml . If you need further assistant , please write email to firstname.lastname@example.org
Ugh, I figured out what was going on with the merge - check the boxes! I wasn't noticing that when I did the drag and drop of each item it wasn't also checking the box while I did it. <sigh>
Okay, so now I have what looks like a valid generate API requests output.
You mentioned earlier to send the shared items first. How do I do that? I searched on shared and received 185 pages at 50 entries per page.
After this question, if I have further issues I'll switch to email.
If you have objects that's in shared , for example address objects or service object that is in shared besides the pre-defined one, you will need to push those shared address/service objects before you push the device group level objects , if you don't have any thing in shared , you don't need to push the shared objects. when you go to objects, you can see the object is in shared or not, if it's in shared , it will show vsys name as "shared" instead of vsys1 or your device group name. Hope this is clear.
1. If you are asking how to move the address objects from vsys1 to shared, you can right click on the object and select "Convert to Shared" as shown in screenshot:
2. How to push those shared objects in API calls, you can go to "Address" section and search "shared", you will see API calls for pushing shared address objects list as below.
So far things you've pointed out have helped immensely. After a number of iterations I'm getting a better handle on how this all works.
I still have at least one more iteration as I've been getting a lot of send API command errors. It would be nice if the sends would just continue on and report any errors found rather than just stopping at the first one.
I spoke too soon - I just tried to commit to Panorama to save my work until morning and I'm gettting 30 validation errors. I think I might know why it's happening though. It looks like all of them are objects that disappeared. I bet I didn't update Panorama correctly in Expedition after recent changes. I'll have to re-watch that video and test it out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!