ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

Showing results for 
Search instead for 
Did you mean: 

ASA to Panoarama DG/Template - Merge shows things for most DGs/Templates

L4 Transporter



I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so.  When I get to the merge step, the API results include a lot items for my other DGs/Templates.  I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).


Is this something of concern?  Are there certain things to be on the lookout for?


You can update the panorama config by setting it to the new base config , but as you mentioned before you need to merge other xml with your production config , that’s why I suggested above approach . 

So, it's looking like my shared address/group objects from the ASA are all corrupted now.  I didn't scroll down the entire validation output but it's a very long list about 


rulebase -> security -> rules -> Rule-01 -> source 'object-XYZ' is not an allowed keyword
rulebase -> security -> rules -> Rule-01 -> source object-XYZ is an invalid ipv4/v6 address
rulebase -> security -> rules -> Rule-01 -> source object-XYZ range separator('-') not found
rulebase -> security -> rules -> Rule-01 -> source 'object-XYZ' is not a valid reference
rulebase -> security -> rules -> Rule-01 -> source is invalid


When I check the address object in the Panorama CLI, it looks like this (GUI is similar):


set shared address object-XYZ ip-netmask


Similarly, for a group object and its members, it all looks fine.


In the case of a group object, there were two that I deleted and re-created identically and then they worked.

Looking at the rule in question, the rule is fine - I don't see anything wrong with it.


I have confirmed it is only the ASA objects as found in merged ASA security & NAT rules.

Hello @justamoment 


First of all , verify the object object-XYZ is already exist in Panorama config and looks like you already verified the object is there .  2nd step will be you save a candidate config snapshot on Panorama GUI and export that candidate config out to your PC , rename the config file to different name instead of candidate config and re-import the candidate config back to panorama and load the config , then commit to see if it lets you successfully commit on panorama .  



Panorama committed just fine.  It's the Device Push (validation) that fails.  Is this still something to try?

Yes, please try the above step.  Thank you!

No change - it still fails a Device Push validation.

Since this is push between Panorama and firewalls , I would suggest you open a case with Palo Alto network TAC to better assist you on this issue . 

Thank you ! 

View solution in original post

<sigh> It was caused by Apps/Threats being out of date.  Once I got it up to the current version it committed fine.


Now the real cleanup beings - thanks for all of your help!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!