Expedition .xml import issues into PanOS 9.05

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Expedition .xml import issues into PanOS 9.05

L1 Bithead

Hey Community! I am working to migrate CheckPoint to Palo and keep running into some issues with importing into our Palo Alto Firewalls. The Firewalls are brand new and I have them running PanOS 9.05. The steps I am taking are. Complete firewall rule cleanup within Expedition > Merge Checkpoint and Palo Firewall config > Resolve duplicated rules > Generate .xml file > Import into Palo Firewall > Load named configuration snapshot.


At this point the rules, networks, NAT, zones and routers are showing properly on the firewall. 


1. I notice that the destination zone does not carry over from the expedition policies. They are showing properly in Expedition. So I need to enter these in manually on the actual Firewall at this point..


2. When I try to edit a rule and add the destination zone I get the following error when trying to save the rule. (FW Admin is the rule name) “FW Admin -> to has unexpected text. FW Admin -> to is invalid”. I get this for every rule in the security tab.


3. My next thought is to try to get the policy committed and then try to update rules. I get this error when trying to commit the expedition config. "This config has been sanitized of password data because it was exported by a non-superuser or was part of a tech support export. Please use a non-sanitized config. (see 'phash' field for user accounts 'admin') Configuration is invalid"


Expedition Version 1.1.51 (Getting this updated this morning to 1.1.55)



L1 Bithead

Just a quick update for anyone having the same issues.


Both 1 & 2 have been resolved by downgrading the firewalls from PanOS 9.05 to 8.1.12.


#3. Has been resolved by exporting out the config straight from the firewall and importing the .xml file instead of syncing down the config from Expedition. We have a M-500 Panorama that has all of the firewalls connected to it. For each project we go into the project settings and add the specific firewall for that project and sync it from the import tab. Somewhere the admin password hash is not coming over. Opening the .xml file you can see that the hash is not imported into Expedition.

When you imported the PANOS configuration, was this already in PANOS 9.x?


PANOS 9.x has a few extra things to take into account in the XML generation, and we try to identify our target based on the base configuration that you have imported into the project.

It would be good if you could share with us via a secure channel your Expedition project, so we also identify if we are missing something while generating the XML config files for PANOS 9.x

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!