Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Interface re-mapping to ae subinterfaces

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Interface re-mapping to ae subinterfaces

L4 Transporter

Hi Expedition team

Recently I had a project, which required changing a number of physical firewall interfaces to a single aggregated tagged sub-interfaces ( e.g. ethernet1/1,1/2, 1/3, etc. changed to ae1.1, 1.2, 1.3).

I decided to use Expedition “interface re-mapping” option. To start with I don’t seem to be able to directly rename Ethernet interface to ae sub interface. I found a workaround by first remapping Ethernet interface to ae (e.g. ethernet 1/11 to ae1), then I get duplicate ae1 interface and I edit the new ae1 interface, changing it from ae1 to ae1.11.

This worked, although it takes longer, because it needs two actions for each interface: remap erhernet1/11 to ae1, then rename ae1 to ae1.11.

The other problem was that not all references to the Ethernet interfaces were changes. For example in Interfaces references were not changed in the following places:

  • In NAT policies interface was changed in the translated source, however not changed in “Original Packet -> Destination Interface.
  • Interfaces in PBF policies were not changed
  • Interfaces not changed in Global Protect Portals and Gateways.
  • Local Interface in VPN Gateways were not changed
  • QoS Interfaces were not changed, however this is understandable.

 

I had to manually edit the XML file, which eventually worked, however it was a lot of additional work and prone to mistakes.

I really like the tool and find it an enormous help.

I am not sure if this is the right place to report bugs. I just wanted to check if this is the expected behaviour or if it is a bug that can be fixed. 

1 accepted solution

Accepted Solutions

L7 Applicator

Hi,

 

What you described is the behavior we develop so it works as designed, doesnt mean that's the best, so we will think a better way that allow you to select the interfaces and apply the logic you want, let us think about it.

 

The tool was designed to Migrate configs from 3rd parties and there is why at the time to remap interfaces we were thinking only the objects we support from other vendors what are just the interfaces and Zones, QoS, etc its from PANOS devices and we didnt think about those, but thanks to you we will increase the support at the time to remap interface to replace everywhere with the new references.

 

Thanks you in the name of my team for the deailed explanation and for allow us to improve 🙂

View solution in original post

3 REPLIES 3

L3 Networker

Great job reporting the details of this issue.  I am looking forward to the answer/resolution.

L7 Applicator

Hi,

 

What you described is the behavior we develop so it works as designed, doesnt mean that's the best, so we will think a better way that allow you to select the interfaces and apply the logic you want, let us think about it.

 

The tool was designed to Migrate configs from 3rd parties and there is why at the time to remap interfaces we were thinking only the objects we support from other vendors what are just the interfaces and Zones, QoS, etc its from PANOS devices and we didnt think about those, but thanks to you we will increase the support at the time to remap interface to replace everywhere with the new references.

 

Thanks you in the name of my team for the deailed explanation and for allow us to improve 🙂

@alestevez

 

Thank you for that. With the new 3200 and 5200 seriesand some of the old platform approaching end of life we see a few platform migration projects, so there will probably be more demand for Palo to Palo migrations. The feature will really help as when moving platform customer often change the physical interfaces and consolidate the old (often incorrectly configured) Ethernet links into a single fibre aggregated interfaces.

  • 1 accepted solution
  • 6519 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!