Hi all. We are trying to use Expedition for a massive cleanup of our Panorama instance. We have everything setup, and the project has generated the unused objects that need to be removed. I wanted to start with service groups as there were only 109 before moving onto the 1767 services ( and 11k address objects). After loading my most recent Pano config into the devices, I did the following:
1. Went into project -> project.name -> import (so it had the most recent file)
2. Objects->Services/service groups. I clicked the green button so it would compile a fresh list of unused objects.
3. Press the red button to remove all unused objects.
4. Export -> API -> atomic -> click step 1. This generates the long list of API calls. I click on the the service groups column ( we have multiple device locations so there are five or six total to check)
5. I then click step 2. I wait for the status to complete in Expedition.
Now in Panorama..
6. I click Commit to Panorama -> and can see that the expedition user has in fact made changes that need to be committed.
7. I validate and commit. Since these are unused service groups ( most often in shared ) there are no changes that need to be pushed to the devices. When Pano is finished the service groups still remain.
I've tried this with services initially, but this failed as some were still in unused service groups which is why I switched. We run a production environment so I'm only able to attempt these changes two a week and have had failures three times.
I've tried atomic, and sub-atomic - with sub-atomic, the entire list of objects is generated - even ones that are in use and shouldn't be removed - so I'm not sure that's the way I should be going.
My last attempt at removing these was "successful" in that I was able to remove 38 objects. We aren't really sure how this was done. We had tried sub-atomic to remove a single service group ( which remained ) twice, and after this was done we were generating atomic calls to see if that was the issue. We could see this in the pending commit in the firewall, but when checking the candidate versus running commit it wouldn't be there. We finally that the candidate config was set to remove things, and that was what ultimately removed those shared service groups, but we aren't really sure what happened to make this work. Is there a set amount of time that's needed after generating and pushing the API calls before running commits in Panorama? The status bar had completed, the commits had completed, so I'm not sure what piece is missing here.
Any help on this would be very much appreciated. If I can't get this to work they're wanting me to manually remove those 11k unused address objects which would be a very unpleasant experience.
Hi @candace.penn , in your steps 4, have you click on "Send API requests" green button to send the API calls to Panorama? Did you see it said "Command succeeded" as attached screenshots? Also , in your step one, you could retrieve the config from Panorama directly by adding Panorama in the device tab, and click on "Contents" to retrieve the running-config first, that way you will always get the latest config from Panorama. After you go into the project, then you can go to "Import", and click on the Panorama device to import the running-config you just retrieved in the previous step. Please let me know if you have any questions.
Thanks for replying!
The status on these were pending - even after I saw the status bar complete and disappear. So does this take time, after that bar has disappeared, to fully send to Panorama? Panorama did show that there were changes waiting to be committed, and again you could preview them and see what they were..
Hello @candace.penn , There are 2 Steps on pushing config back to Panorama you need to follow:
1. Click on the blue button "Generate API Requests"
2. Select the objects and rules you want to push by check the checkbox in front of the objects and click on the green button "Send API Request"
After the step2, if the API calls successfully, the status will then change from "Pending" to "Command succeeded" as shown in the screenshot.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!