Expedition - re-assign zones after change in routing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Expedition - re-assign zones after change in routing

L6 Presenter

 

The imported config had an OSPF dynamic routing so some routes were not in routing table. Therefore zones aren't correct on some rules. I can add the routes from OSPF manually into VR in my Expedition project. But how do I force Expedition to re-populate zones throughout whole configuration, please?

 

 

7 REPLIES 7

L4 Transporter

Hi @santonic 

 

Expedition could run an autozone on NAT and Security Rules for you.

 

First please make sure you Network is properly defined, that means review your interfaces are properly defined and have a zone assigned, also your VR has a default static route plus all your OSPF dynamic routing. Having a default static route is a must to execute the autozone assign.

 

Once all this information is fine create an snapshot of the project so at any time you can go back to this specific project status.

 

Then execute below steps:

 

1. Go to Security Rules grid,

2. Select one rule or all, but for testing purposes I will suggest select first some controlled rules,

3. Click on right mouse button and select autozone assign.

4. Select your template (Network information) and your VR to use

5. Select the scope of the executions; selected rules or all rules

6. Select if you want to calculate source zones and destination zones

7. Select if you want to apply NAT rules information for destination zones.

8. Click on calculate 

9. Wait for the process to finish

10. Review tab Monitor to check for some warning on the process

 

Note: The same process could be executed on NAT rules. Take into account that as Palo Alto Networks only allows having 1 zone on the to (destination) zone for NAT rules, when Expedition detects that the NAT rule needs having more than one to zone, then it clones the NAT rule for every to zone needed, increasing the number of NAT rules than originally were migrated.

If you identify some finding please open a TAC case including your original configuration and share the TAC case number with us using the email fwmigrate <fwmigrate@paloaltonetworks.com>. We will be happy to assist you.

 

Hope this information helps you,

 

Best,

 

David

L6 Presenter

Thank you for your reply.

Ok, I tried this but it seems it's not taking into account directly connected networks. Tested it on a rule from one connected (source zone A, no source IP defined) to the other connected network (destination zone B, destination network defined) and it changed source zone to 'any' and destination zone to outside (where default route points).  

Hi @santonic 

That's the expected result, when "source" or "destination" is any the autozone algorithm sets as "any" the "from" or "to" zone. 
Hope this helps,

Best regards,

L6 Presenter

For the source zone I can understand. 

But for the destination zone destination network was defined, it's a directly connected network, and Expedition set it to 'outside' anyway. It should be the destination zone of directly connected network.  

Hi @santonic ,

I would like to debug your case on my lab.

For that I will need you to share your exported Expedition project using a TAC case.

Please send the TAC case number to fwmigrate@paloaltonetworks.com

Let me know if that works for you.

Thanks in advance,

David

L6 Presenter

I don't have a TAC case open yet. Can I even open a TAC case for Expedition issues? Or how did you mean this? 

Hi @santonic 

The requirement for the TAC case is solely for the purpose of file sharing.

Despite Expedition not being an option in the product list, you can still initiate a TAC case (choose PANOS as the product).

Make sure to specify in the description that the ticket is being opened exclusively for file sharing and may be closed thereafter.

Thank you in advance,

 

  • 2123 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!