Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Migrate Security Rules in multiple device groups with Expedition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrate Security Rules in multiple device groups with Expedition

L1 Bithead

Hello,

 

I have a policy rule imported from a Juniper with one Vsys.

I'd like to split the rules and migrate them in different Device Group (Multiple VSYS) in a Panorama

It seems that Expedition only give the possibilty to export the rules in one Device group in the Mapping tab. So if rules belong to multiple device, the only solution i ve found is to move the security policies to one Device group  and then to move them with Panorama console in the other Device groups.

Is there a trick to get more granularity in the Device group Export?

Thanks for your help

 

5 REPLIES 5

L6 Presenter

Hi Jean-Bruno,

 

If the security policy is shared by all device group, you can moved them to shared in Expedition. If they are not shared, you could try export the merged config from Expedition and perform "load config partial" in Panorama CLI to load the security policy to the corresponding device groups https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/use-the-cli/load-configurations/...

 

or

 

use the below move rules function in Panorama GUI to move rules from one device group to another device group https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/manage-device-groups/...

 

Hope this helps!

 i thought there was a button somewhere to move rule among DG in Expedition. Maybe a feature to add?;)

I'll move the rules manually then from Panorama GUI.

Thank for your reply

 

There is a function in export tab if you are converting from multi-vsys or multiple firewalls to multiple device groups, where you can drag and drop the left side's security policy from different vsys  to the  corresponding device groups on the right side and merge the config. But In your scenario , you are converting from single vsys to multiple device groups, so you won't be able to drag and drop the security policy to different device groups.  Please see attached screenshot:

Yes i agree, but there is no way to clone the rules from one device group to another in Expedition.

And when it is dragged to the right, left content gets empty. So no real solution in my scenario. Panorama GUI is the way to go

Thanks

You are right. We have an option to move a rule to Shared, but we did not implement a feature to move/clone a rule between different DGs/VSys.

 

We will take note of this need and add it to our list of functionalities we would like to provide in Expedition 2.0, which it is currently under development.

  • 7732 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!