This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Correct invalid services in Expedition

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Correct invalid services in Expedition

AK74
L2 Linker

‎07-04-2022 03:03 PM - edited ‎07-04-2022 04:17 PM

Hello there,

 

I am currently migrating my ASA 5585 to a Palo 5260 using Expedition tool. Everything on the dashboard has been rectified, except for few services that shows "invalid" and used .

 

I've noticed that Expedition has replaced "icmp" service in ASA to "discard" 

Does anyone know why is that ?

 

Also, there're some invalid services such as (icmp-echo. icmp-echo-reply) but when I try to search/locate them, I don't see them under security policy but they're used in Object groups as shown below So, basically I need to convert them to Ping application as if they were used in security policy ?

AK74_0-1656972005482.png

Finally, I've got "esp" as invalid service but again it's located in an object group. So, how to correct it? replace it with an application (ipsec-esp) or service ?

Thanks

 

1 person had this problem.
4 REPLIES 4

Ifixtheinternet
L0 Member

‎10-26-2022 09:27 AM

I have the same problem and question.

In addition to those, I also have a service object showing up for "GRE", but there is no object in my ASA configured for GRE, or port 47, either individually or within any port range. So I'm not sure where that came from.
They show unused, but I'd still like to understand why they were generated.
I'm wondering if there's any way to display in Expedition what object / config line in the ASA that Expedition referred to in order to create the objects. 3_Invalid_Service_objects_5585i.png

0 Likes Likes

lychiang
L6 Presenter
In response to Ifixtheinternet

‎10-26-2022 09:34 AM

Hi @Ifixtheinternet Those are default service protocol from your cisco asa config, if it's red dot , means it's not being used in any group object or policies. 

0 Likes Likes

Ifixtheinternet
L0 Member
In response to lychiang

‎10-26-2022 10:36 AM

Thanks lychiang,

 

I was not familiar with default objects in the ASA until now.

One must perform a "show run all" on an ASA to see the default objects, which is where I found the default GRE object, as well as the default "echo" object.

The last piece I am uncertain about which AK74 also asked, is why the used service object for ICMP was renamed to "discard".
The service object configured in the ASA is just called "icmp". Not critical as we'll rename it anyway, but I'm still curious.


0 Likes Likes

AK74
L2 Linker
In response to Ifixtheinternet

‎10-26-2022 03:45 PM

What version of Expedition tool are you using ?

0 Likes Likes
  • 2340 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks