The imported config had an OSPF dynamic routing so some routes were not in routing table. Therefore zones aren't correct on some rules. I can add the routes from OSPF manually into VR in my Expedition project. But how do I force Expedition to re-populate zones throughout whole configuration, please?
Expedition could run an autozone on NAT and Security Rules for you.
First please make sure you Network is properly defined, that means review your interfaces are properly defined and have a zone assigned, also your VR has a default static route plus all your OSPF dynamic routing. Having a default static route is a must to execute the autozone assign.
Once all this information is fine create an snapshot of the project so at any time you can go back to this specific project status.
Then execute below steps:
1. Go to Security Rules grid,
2. Select one rule or all, but for testing purposes I will suggest select first some controlled rules,
3. Click on right mouse button and select autozone assign.
4. Select your template (Network information) and your VR to use
5. Select the scope of the executions; selected rules or all rules
6. Select if you want to calculate source zones and destination zones
7. Select if you want to apply NAT rules information for destination zones.
8. Click on calculate
9. Wait for the process to finish
10. Review tab Monitor to check for some warning on the process
Note: The same process could be executed on NAT rules. Take into account that as Palo Alto Networks only allows having 1 zone on the to (destination) zone for NAT rules, when Expedition detects that the NAT rule needs having more than one to zone, then it clones the NAT rule for every to zone needed, increasing the number of NAT rules than originally were migrated.
If you identify some finding please open a TAC case including your original configuration and share the TAC case number with us using the email fwmigrate <firstname.lastname@example.org>. We will be happy to assist you.
Hope this information helps you,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!