- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-12-2020 01:58 PM
Hi
I'm attempting my first migration of an ASA to one of my Panorama-managed clusters (1 A/P cluster in a DG/Template) and am following the recent YouTube tutorial for doing so. When I get to the merge step, the API results include a lot items for my other DGs/Templates. I've tried Atomic & Subatomic and it pretty much looks the same (I didn't do a line-for-line comparison by eyeballing the 2 looks identical).
Is this something of concern? Are there certain things to be on the lookout for?
07-17-2020 11:19 AM
You can update the panorama config by setting it to the new base config , but as you mentioned before you need to merge other xml with your production config , that’s why I suggested above approach .
07-17-2020 01:12 PM
So, it's looking like my shared address/group objects from the ASA are all corrupted now. I didn't scroll down the entire validation output but it's a very long list about
rulebase -> security -> rules -> Rule-01 -> source 'object-XYZ' is not an allowed keyword
rulebase -> security -> rules -> Rule-01 -> source object-XYZ is an invalid ipv4/v6 address
rulebase -> security -> rules -> Rule-01 -> source object-XYZ range separator('-') not found
rulebase -> security -> rules -> Rule-01 -> source 'object-XYZ' is not a valid reference
rulebase -> security -> rules -> Rule-01 -> source is invalid
When I check the address object in the Panorama CLI, it looks like this (GUI is similar):
set shared address object-XYZ ip-netmask 1.2.3.4/32
Similarly, for a group object and its members, it all looks fine.
In the case of a group object, there were two that I deleted and re-created identically and then they worked.
07-17-2020 01:15 PM
Looking at the rule in question, the rule is fine - I don't see anything wrong with it.
I have confirmed it is only the ASA objects as found in merged ASA security & NAT rules.
07-17-2020 02:05 PM - edited 07-17-2020 02:07 PM
Hello @justamoment
First of all , verify the object object-XYZ is already exist in Panorama config and looks like you already verified the object is there . 2nd step will be you save a candidate config snapshot on Panorama GUI and export that candidate config out to your PC , rename the config file to different name instead of candidate config and re-import the candidate config back to panorama and load the config , then commit to see if it lets you successfully commit on panorama .
07-17-2020 02:25 PM
Panorama committed just fine. It's the Device Push (validation) that fails. Is this still something to try?
07-17-2020 02:33 PM
Yes, please try the above step. Thank you!
07-17-2020 02:52 PM
No change - it still fails a Device Push validation.
07-17-2020 03:28 PM
Since this is push between Panorama and firewalls , I would suggest you open a case with Palo Alto network TAC to better assist you on this issue .
Thank you !
07-17-2020 08:31 PM
<sigh> It was caused by Apps/Threats being out of date. Once I got it up to the current version it committed fine.
Now the real cleanup beings - thanks for all of your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!