Expedition support for PanOS9.1.1

Reply
lychiang
L4 Transporter

Hello @FilipElsen ,

Instead of load full config, can we try do do "load cofig partial" command from Panorama CLI to see you encounter the same issue? Also what platform is your panorama? 

FilipElsen
L2 Linker

 Hi @lychiang@dgildelaig 

We have an M500 cluster with full disk extension.

I was never a big fan of the "partial" and it showed off again today.

While loading the partial config, the primary Panorama became unresponsive and I needed to failover & revert.

Such symptoms I encountered in the past, therefore I avoid to do it like this command.

It has been going fine for +1Y and we've performed about 21migrations (Checkpoint Central policy sent to 2 different datacenter clusters, which brings quitte some complexity (routing, nat, auto-zone assign etc). (Spoke @dgildelaig about this during an event).

 

I've provided the export of the project, the merged xml.

Can you please shine your wisdom on it?

Best regards,

Filip

 

lychiang
L4 Transporter

Hi @FilipElsen 

 

This is not a Expedition issue , it has been identified as issue in PAN-OS 9.1.1 , please review below address issue in PAN-OS 9.1.2

PAN-133378
Fixed an issue in Panorama where a process (
configd
) restarted while doing a commit using a RADIUS super admin role.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os...

 

Thank you!

 

Tags (1)
FilipElsen
L2 Linker

Hi @lychiang @dgildelaig @DamienDove ,

Our Panorama's have been upgraded from 9.1.1 to 9.1.2.

The merged config file has been imported, it takes a while!

2020/06/04 16:08:13   16:08:13       186939                                  BuildXMLCache                            ACT   PEND        47%

2020/06/04 16:07:26   16:07:26       186938                                  BuildXMLCache                            ACT   PEND        69%

2020/06/04 16:06:48   16:06:48       186937                                  BuildXMLCache                            ACT   PEND        93%

2020/06/04 16:06:13   16:06:13       186936                                  BuildXMLCache                            ACT   PEND        99%

2020/06/04 15:29:33   15:29:33       186935                                           Load                            ACT   PEND        99%

 

In total it took about 35 minutes that the process was on Load / PEND at 99%.

In the end, the import worked.

 

Thanks a lot for the solution!

Best regards,

Filip Elsen

FilipElsen
L2 Linker

Hi @lychiang @dgildelaig 

With PanOS 9.1.2 the import itself works, the configd restart error is solved. Nevertheless it takes a lot of time.

When reviewing the policy, we noticed that again the source/destination/service objects got lost, even though the are found into the XML.

Example 1

Expedition

expedition1.jpeg

Panorama

panorama1.jpeg

 

Example2:

Expedition

expedition2.jpeg

Panorama

panorama2.jpeg

 

I've made a search in the XML for "rule 229" above, but this seems to hold the correct values.

XML.jpeg

Seems like compatibility is lagging with PanOs 9.1.X.

We're blocked on our migrations.

Can you please shine a light?

 

Thanks a lot,

Filip Elsen

lychiang
L4 Transporter

Hello @FilipElsen 

In your expedition, when you do a merge config , what version of the base config you use , can you confirm you are using the 9.1.2 base config on the right side. 

FilipElsen
L2 Linker

Hi @lychiang,

 

Yes - indeed. The base config is the one from 9.1.2.

 

When importing the merged config: OK.

When loading the imported config, we select:

- Load shared objects

-Select device group & templates: only the specific DG (MGT) has been selected.

The policy is loaded, but sources & destinations (objects) + services are missing.

Best regards,

Filip

Tags (1)
lychiang
L4 Transporter

Hi @FilipElsen After you exported the xml file from Expedition, can you open the xml file and verify the source, destination, services are indeed shown in the security policy . 

 

Another solution could help is to perform an API call to push the shared/DG address objects and service objects from Expedition to Panorama. Please see attached screenshot. You will go to "Export" -> "API output manager" -> Click on the blue button "Generate API Requests" , it will then list all the API calls, you can pick and choose which part of the config you want to push back to Panorama , by select the checkbox on that particular API call and click the green button "Send API Requests" , the column of the ID shows the order you need to follow, for example you will start with "TAG" -> "Shared Address object" -> "DG address object" Shared Service object" ->"DG service object" -> "shared security policy"->"DG security policy" .  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!