Juniper SRX migration questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Juniper SRX migration questions

L4 Transporter

Hi

 

I'm working on an SRX migration (first time) and in Expedition, all of the policies are locked (there are only Security policies in this situation).  I need to tag all of the rules with a specific tag as I'm combining three firewall clusters into one (2 PANs sandwiching the SRX - I'm collapsing a 3-tier physical environment into a single firewall cluster).  I need to mark the rules from the SRX as such since there will be duplication of rules.  I can do it post-migration with PAN-OS-PHP since the zones are nearly all unique but I was hoping to do it in Expedition.

 

On a related note, when I try to add a tag, it just pops up the all/shared/vsys1 dropdown box next to the device XML name for the SRX.

 

Address/Address Groups/Service/Service Group objects are all editable but similarly I can't add any (I don't need to - just pointing it out).

 

And another item - remapping network interfaces: I can only remap them one at a time.  Trying to do a bulk rename (they're all going from reth1 or reth2 to ae8 with the original sub-interface/VLAN tag ID).  When I try I get the middle drop down box popping up with all or default_template14 listed.  Interestingly, if I select default_template14 and then click the remap button with multiple selections I get a warning:

 

Please, select one, and only one, interface

 

Thanks!

 

16 REPLIES 16

L5 Sessionator

If you can’t add objects and policy most likely you did not select the right context where the objects and policy located , try to switch to different vsys or contex on the lower right bottom .  For remapping interface , you will have to do it one by one , if it’s interface with sub interface , you only need to remap on the main interface , the sub interfaces will auto remap. 

L4 Transporter

Both "all" and "vsys1" have the same result for policies they're locked either way.  Selecting vsys1 did allow me to add a tag, however.

 

Interestingly enough, even though the Policy | Security rules are locked, I was able to bulk add the tag I was able to created while vsys1 is selected.

 

So, I would consider that part resolved.

 

As far as network interfaces go, the main interface doesn't appear.  Our SRX uses reth interfaces (redundant ethernet) instead of AEs or LAgs.  There is a non-subinterface reth (e.g., reth0 vs. subinterface reth0.100) but the parent doesn't appear (in the same example, reth0 doesn't appear in the list of interfaces).  This is true whether I choose any combo of middle drop-down box of all or default_template14 and right drop-down box of all, shared, or vsys1.

L5 Sessionator

Not sure what version of expedition you are running , if it’s not latest version, I would suggest you do a upgrade first . If you still encounter issues , please send email to fwmigrate@paloaltonetworks.com 

L4 Transporter

I updated last week to v1.2.2 and I see that it's showing an update is available.  Let me give it a shot.

L4 Transporter

It didn't update much and still shows v1.2.2.

 

 

Spoiler

$ sudo apt-get update
Ign:2 https://conversionupdates.paloaltonetworks.com expedition-updates/ InRelease
Get:3 http://sgp1.mirrors.digitalocean.com/mariadb/repo/10.1/ubuntu xenial InRelease [4,638 B]
Ign:4 https://conversionupdates.paloaltonetworks.com expedition-updates/ Release
Ign:1 https://www.rabbitmq.com/debian testing InRelease
Ign:6 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages.diff/Index
Ign:5 https://www.rabbitmq.com/debian testing Release
Hit:9 http://archive.ubuntu.com/ubuntu xenial InRelease
Get:10 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Hit:12 http://ppa.launchpad.net/adiscon/v8-stable/ubuntu xenial InRelease
Ign:14 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:7 https://www.rabbitmq.com/debian testing/main amd64 Packages.diff/Index
Ign:8 https://www.rabbitmq.com/debian testing/main i386 Packages.diff/Index
Ign:17 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:11 https://www.rabbitmq.com/debian testing/main all Packages
Get:19 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:20 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:14 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Hit:21 http://ppa.launchpad.net/deadsnakes/ppa/ubuntu xenial InRelease
Ign:18 https://www.rabbitmq.com/debian testing/main i386 Packages
Ign:17 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:11 https://www.rabbitmq.com/debian testing/main all Packages
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:20 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:14 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:18 https://www.rabbitmq.com/debian testing/main i386 Packages
Ign:17 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:11 https://www.rabbitmq.com/debian testing/main all Packages
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:20 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Get:22 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Ign:14 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:18 https://www.rabbitmq.com/debian testing/main i386 Packages
Ign:23 http://download.webmin.com/download/repository sarge InRelease
Ign:11 https://www.rabbitmq.com/debian testing/main all Packages
Hit:24 http://download.webmin.com/download/repository sarge Release
Ign:17 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Get:20 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages [910 B]
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:18 https://www.rabbitmq.com/debian testing/main i386 Packages
Get:26 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [2,049 kB]
Ign:14 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:11 https://www.rabbitmq.com/debian testing/main all Packages
Ign:17 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:14 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:18 https://www.rabbitmq.com/debian testing/main i386 Packages
Ign:17 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:11 https://www.rabbitmq.com/debian testing/main all Packages
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Err:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
404 OK
Ign:18 https://www.rabbitmq.com/debian testing/main i386 Packages
Get:27 http://archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [1,525 kB]
Fetched 3,905 kB in 2s (1,451 kB/s)
Reading package lists... Done
W: The repository 'https://conversionupdates.paloaltonetworks.com expedition-updates/ Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://www.rabbitmq.com/debian testing Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://www.rabbitmq.com/debian/dists/testing/main/binary-amd64/Packages 404 OK
E: Some index files failed to download. They have been ignored, or old ones used instead.

 

$ sudo apt-get install expedition-beta
Reading package lists... Done
Building dependency tree
Reading state information... Done
expedition-beta is already the newest version (1.2.2).
0 upgraded, 0 newly installed, 0 to remove and 177 not upgraded.

 

$ sudo apt-get -y -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 177 not upgraded.

 

$ sudo apt-get autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 177 not upgraded.

 

Hello @justamoment 

 

You are not updating expedition because your packages are not being updated as shown below there are a few errors.

 

W: The repository 'https://conversionupdates.paloaltonetworks.com expedition-updates/ Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'http://www.rabbitmq.com/debian testing Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://www.rabbitmq.com/debian/dists/testing/main/binary-amd64/Packages 404 OK
E: Some index files failed to download. They have been ignored, or old ones used instead.

 

We have a separate forum thread on the fix and you can refer to it here ( https://live.paloaltonetworks.com/t5/expedition-discussions/unable-to-update-expedition-quot-expedit... ) After running through these steps you should be able to update your expedition server to the latest version.

L4 Transporter

I replaced...

 

deb https://conversionupdates.paloaltonetworks.com/ expedition-updates/

 

...with...

 

deb [trusted=yes] https://conversionupdates.paloaltonetworks.com/ expedition-updates/

 

And reran it:

 

 

Spoiler

$ sudo apt-get update
Get:2 http://sgp1.mirrors.digitalocean.com/mariadb/repo/10.1/ubuntu xenial InRelease [4,638 B]
Ign:3 https://conversionupdates.paloaltonetworks.com expedition-updates/ InRelease
Get:4 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Ign:1 https://www.rabbitmq.com/debian testing InRelease
Ign:6 https://conversionupdates.paloaltonetworks.com expedition-updates/ Release
Ign:5 https://www.rabbitmq.com/debian testing Release
Ign:9 http://download.webmin.com/download/repository sarge InRelease
Ign:11 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages.diff/Index
Hit:12 http://download.webmin.com/download/repository sarge Release
Ign:7 https://www.rabbitmq.com/debian testing/main amd64 Packages.diff/Index
Hit:14 http://archive.ubuntu.com/ubuntu xenial InRelease
Ign:8 https://www.rabbitmq.com/debian testing/main i386 Packages.diff/Index
Ign:19 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:10 https://www.rabbitmq.com/debian testing/main all Packages
Hit:20 http://ppa.launchpad.net/adiscon/v8-stable/ubuntu xenial InRelease
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:21 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Get:22 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:23 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages
Ign:17 https://www.rabbitmq.com/debian testing/main i386 Packages
Ign:19 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:10 https://www.rabbitmq.com/debian testing/main all Packages
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:21 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Hit:24 http://ppa.launchpad.net/deadsnakes/ppa/ubuntu xenial InRelease
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:23 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages
Ign:17 https://www.rabbitmq.com/debian testing/main i386 Packages
Ign:10 https://www.rabbitmq.com/debian testing/main all Packages
Ign:19 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:21 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:17 https://www.rabbitmq.com/debian testing/main i386 Packages
Get:25 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Ign:23 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages
Ign:10 https://www.rabbitmq.com/debian testing/main all Packages
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:19 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:17 https://www.rabbitmq.com/debian testing/main i386 Packages
Ign:21 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:10 https://www.rabbitmq.com/debian testing/main all Packages
Get:26 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [2,049 kB]
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Hit:23 https://conversionupdates.paloaltonetworks.com expedition-updates/ Packages
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:19 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
Ign:17 https://www.rabbitmq.com/debian testing/main i386 Packages
Ign:21 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Ign:10 https://www.rabbitmq.com/debian testing/main all Packages
Ign:13 https://www.rabbitmq.com/debian testing/main Translation-en_US
Ign:19 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en_US
Ign:15 https://www.rabbitmq.com/debian testing/main Translation-en
Ign:21 https://conversionupdates.paloaltonetworks.com expedition-updates/ Translation-en
Err:16 https://www.rabbitmq.com/debian testing/main amd64 Packages
404 OK
Ign:17 https://www.rabbitmq.com/debian testing/main i386 Packages
Get:27 http://archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [1,525 kB]
Fetched 3,904 kB in 2s (1,546 kB/s)
Reading package lists... Done
W: The repository 'http://www.rabbitmq.com/debian testing Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://www.rabbitmq.com/debian/dists/testing/main/binary-amd64/Packages 404 OK
E: Some index files failed to download. They have been ignored, or old ones used instead.

 

$ sudo apt-get install expedition-beta
Reading package lists... Done
Building dependency tree
Reading state information... Done
expedition-beta is already the newest version (1.2.2).
0 upgraded, 0 newly installed, 0 to remove and 177 not upgraded.

 

$ sudo apt-get -y -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 177 not upgraded.

 

$ sudo apt-get autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 177 not upgraded.

 

Hello @justamoment 

 

You will need to also do this for rabbitmq which I believe is under the exrepo repo.

 

W: The repository 'http://www.rabbitmq.com/debian testing Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://www.rabbitmq.com/debian/dists/testing/main/binary-amd64/Packages 404 OK
E: Some index files failed to download. They have been ignored, or old ones used instead.

L4 Transporter
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!