Import format issue

Reply
Highlighted
L2 Linker

Import format issue

I am importing rules from a Cisco 5585 ASA in prep to move to a 5260. I have noticed that when I go through the log file from the ASA trying to clean up the objects starting with invalid characters or edit objects that exceed 31 characters that I have issue with what is imported. Example is I import 220 lines based on the count in ultra edit and Expedition shows 60 security policies. Is there a certain format that the text in the log file has to be? Anything I can check prior to import?

Highlighted
L5 Sessionator

Are you 100% sure that you are not altering the format for the file?

 

I would suggest that you do not clean the original ASA configuration as Expedition has already a few controls and name corrections in place that may do this work for you.

Also, there would be less changes that while cleaning, you misplace a quote or similar making part of the configuration invalid.

 

If it still fails this way, let us know and we will try to identify the characters that are bothering and give support for them in Expedition.

Our goal is that you need to do 0 cleaning on the configuration file besides any standard approach that the vendor may specify.

 

Highlighted
L2 Linker

if there is an object group that begins with a - that is an invalid field, it will fail an api call to load it. If you manual import the config, you can bring it up but if you try to commit it, it will error out and possible reboot the palo. The 220 I have for testing has been doing this. If a name is over 31 characters this will cause another error. I have not seen anything in expedition that seems to re-mediate these issues. A reason that manual editing needs to be done on coming from the Cisco ASA is that I have to split the zones on the firewall into different vsys per the design that was implemented. I have also discovered that if have a rule to an ip address that has a nat that the rule in expedition becomes to the nat while that is not how a cisco asa works. That was confusing to find. 

Highlighted
L5 Sessionator

Could you put as an email regarding the NAT issue to fwmigrate@paloaltonetworks.com?

I would like to check that with you to improve the logic in Expedition.

 

Regarding the invalid objects, doesn't Expedition filter you those objects as invalid? We have a feature to, for instance, add a prefix on all selected objects, which you could use to alter their names starting with whatever you want instead of the "-".

 

However, out of curiosity, is this a valid naming in Cisco?

Highlighted
L2 Linker

sent the email with examples. 

 

expedition does not filter, only shows unused and used on the object tab. I only found the error on export attempts. 

 

that is a valid format in the cisco asa. 

 

if you test and make a new object with a - you get a message telling that it must start with alphanumeric and can contain 0 or more alphanumeric characters, underscore, hyphen, dot, or spaces. So it has to start with a letter or number. I don't see a way to correct the 31 character limit or the - beginning. 

Highlighted
L5 Sessionator

We will make a release today that will catch those address objects as invalid, so you can spot them and apply the global Prefix addition.

 

Thanks for letting us know

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!