Issues with Import from Panorama

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Issues with Import from Panorama

We have a complex environment with a physical ASA HA pair with multiple contexts, which we are slowing moving to Palo Alto VMs, one ASA context per VM HA pair. Some customers have existing PA VM pairs in addition to an ASA context. We have more than a dozen HA PA VM pairs (running 9.1.x) managed by Panorama (running 10.1.8).


I have tried multiple methods to import the existing Palo Alto configuration into Expedition from Panorama, from attempting to only pull the configuration of the single firewall pair - which yielded a configuration with just 3 services listed as imported and no security policies or objects. I have also imported the entire Panorama configuration, which did import the security policies - for every single PA VM pair - more than 3600, but I don't seem to be able to restrict this just to the PA pair I need. There is a panorama tab in the project, but I've only been able to delete a handful of the imported PA pairs so I'm trying to find a way to just get the PA pair I need so I can get the existing ASA security policies, NAT policies, and objects imported.


I've read numerous posts, but I haven't come across a method of just getting the security policies I need.


Specifically, I imported all of Panorama configuration to Expedition (under Devices). I then created a project, and attempted to just permit the one firewall pair I need to work with - and ended up with 3 services, no rules, no objects. If I import all of Panorama, I end up with several thousand objects, 4000+ rules, and seemingly no way to remove those firewall pairs I don't need. A handful will delete in the panorama tab under the project, but most will not - leaving me with 3600+ security policies and no reasonable way of pairing the configuration down without going through every policy, object, network interface, zone, etc. to remove those that are not part of this project.


Has anyone successfully managed something like this? If so, how?


L6 Presenter

Hi @MichaelASloan-SDC Here is my recommendations per your usecase:

1. Create a new Device group and new template in your production panorama for each of the migration project , for example: DG1, template1

2. Export the whole running config from the production panorama and import it into Expedition used as baes config. 

3. Merge your converted ciscoasa config with the panorama base config , when you drag and drop, drag the objects, rules folder to DG1 , all network interfaces, virtual router folder to Template 1 , make sure the zone object is drag to the vsys1 folder under template1 as shown in the below article: 


4. After configs are merged, generate a xml output, download the xml file.

5. Import the xml file into panorama

6. When Load config in panorama, only load config for DG1 and template 1 by selecting specific device group and template like below :


Screen Shot 2023-04-03 at 10.21.40 AM.png


Alternative way is you can use firewall as base config , and load the merged config in firewall, later, you do a firewall to panorama migration. 


Hope this helps!






  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!