I am preparing to migrate configuration from cisco FWSM to Palo Alto 5250 which is managed by Panorama. The converted configuration gets exported to Panorama but while attempting to commit to the firewall, i get the following error. I have done "re-mapping" of Vlan interfaces in Cisco FWSM to Palo Alto aggregate interface sub-interfaces. Please help.
I am using expedition tool. My Panorama version is 8.1.2
. Validation Error:
. vsys -> vsys2 -> import -> network -> interface 'ae1.251' is not a valid reference
. vsys -> vsys2 -> import -> network -> interface is invalid
. Can't get interface ae1.516 id(Module: routed)
. Error: unknown interface ae1.516
. Error: virtual router configuration error
. (Module: device)
. Commit failed
Part of the human intervention that it is required during the migration is remapping the interfaces to valid interface names in a PANOS device.
As we can't know how the wiring will me made after the intervention, this process is not done automatically and one task is to map the Cisco interfaces to PANOS interfaces (doing the rename).
Are you using AE or Sub-interfaces for connectivity to the Cisco LAN side? Are you connecting to a VLAN with L3-SVI trunk LACP? Or just one interface with sub-interfaces? If just one interface with sub-interfaces, then you don't need AE's. Once you map your interfaces correctly in Expedition / MT, you push them. I have in the past had to create the interfaces on the FW in advance and then it worked.
I did not do any re-mapping of the interfaces in the expedition tool. When i imported the configuration to Panorama, the SVI in the cisco FWSM are converted into vlan interfaces in Palo Alto. I tried installing the policy and policy installation succeeded. However, all the vlan interfaces are not mapped to the vsys in which i have defined the policy. If i try to remap the interfaces to specific vsys, i start getting the same error as before.
I have templates and device group configured in Panorama under which the specific vsys exists.
Few basic questions:
1. My only interface to physical network switch is ae1. This is not mapped to any vsys and is configured as layer2.
2. By the migration tool, i have got vlan interfaces created as part of the migrated configuration from cisco. These are not automatically mapped to any vsys. If my understanding is correct, i need to bring these to specific vsys.
3. Is there any additional configuration required to make the ae1 interface to allow traffic in all VLANs and act as trunk?
4. Do i need to create any manual L2 VLAN inside ISE to support the corresponding L3-VLAN interface? Usually in cisco firewall, i have not done this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!