Expedition support for PanOS9.1.1

 Hi @lychiang, @dgildelaig 

We have an M500 cluster with full disk extension.

I was never a big fan of the "partial" and it showed off again today.

While loading the partial config, the primary Panorama became unresponsive and I needed to failover & revert.

Such symptoms I encountered in the past, therefore I avoid to do it like this command.

It has been going fine for +1Y and we've performed about 21migrations (Checkpoint Central policy sent to 2 different datacenter clusters, which brings quitte some complexity (routing, nat, auto-zone assign etc). (Spoke @dgildelaig about this during an event).

I've provided the export of the project, the merged xml.

Can you please shine your wisdom on it?

Best regards,

Filip

Hi @FilipElsen 

This is not a Expedition issue , it has been identified as issue in PAN-OS 9.1.1 , please review below address issue in PAN-OS 9.1.2

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os...

Thank you!

Hi @lychiang @dgildelaig @DamienDove ,

Our Panorama's have been upgraded from 9.1.1 to 9.1.2.

The merged config file has been imported, it takes a while!

2020/06/04 16:08:13   16:08:13       186939                                  BuildXMLCache                            ACT   PEND        47%

2020/06/04 16:07:26   16:07:26       186938                                  BuildXMLCache                            ACT   PEND        69%

2020/06/04 16:06:48   16:06:48       186937                                  BuildXMLCache                            ACT   PEND        93%

2020/06/04 16:06:13   16:06:13       186936                                  BuildXMLCache                            ACT   PEND        99%

2020/06/04 15:29:33   15:29:33       186935                                           Load                            ACT   PEND        99%

In total it took about 35 minutes that the process was on Load / PEND at 99%.

In the end, the import worked.

Thanks a lot for the solution!

Best regards,

Filip Elsen

Hi @lychiang @dgildelaig 

With PanOS 9.1.2 the import itself works, the configd restart error is solved. Nevertheless it takes a lot of time.

When reviewing the policy, we noticed that again the source/destination/service objects got lost, even though the are found into the XML.

Example 1

Expedition

Panorama

Example2:

Expedition

Panorama

I've made a search in the XML for "rule 229" above, but this seems to hold the correct values.

Seems like compatibility is lagging with PanOs 9.1.X.

We're blocked on our migrations.

Can you please shine a light?

Thanks a lot,

Filip Elsen

Hello @FilipElsen 

In your expedition, when you do a merge config , what version of the base config you use , can you confirm you are using the 9.1.2 base config on the right side. 

Hi @lychiang,

Yes - indeed. The base config is the one from 9.1.2.

When importing the merged config: OK.

When loading the imported config, we select:

- Load shared objects

-Select device group & templates: only the specific DG (MGT) has been selected.

The policy is loaded, but sources & destinations (objects) + services are missing.

Best regards,

Filip

Hi @FilipElsen After you exported the xml file from Expedition, can you open the xml file and verify the source, destination, services are indeed shown in the security policy . 

Another solution could help is to perform an API call to push the shared/DG address objects and service objects from Expedition to Panorama. Please see attached screenshot. You will go to "Export" -> "API output manager" -> Click on the blue button "Generate API Requests" , it will then list all the API calls, you can pick and choose which part of the config you want to push back to Panorama , by select the checkbox on that particular API call and click the green button "Send API Requests" , the column of the ID shows the order you need to follow, for example you will start with "TAG" -> "Shared Address object" -> "DG address object" Shared Service object" ->"DG service object" -> "shared security policy"->"DG security policy" .