Migrate Security Rules in multiple device groups with Expedition

Reply
Highlighted
L1 Bithead

Migrate Security Rules in multiple device groups with Expedition

Hello,

 

I have a policy rule imported from a Juniper with one Vsys.

I'd like to split the rules and migrate them in different Device Group (Multiple VSYS) in a Panorama

It seems that Expedition only give the possibilty to export the rules in one Device group in the Mapping tab. So if rules belong to multiple device, the only solution i ve found is to move the security policies to one Device group  and then to move them with Panorama console in the other Device groups.

Is there a trick to get more granularity in the Device group Export?

Thanks for your help

 

Highlighted
L3 Networker

Re: Migrate Security Rules in multiple device groups with Expedition

Hi Jean-Bruno,

 

If the security policy is shared by all device group, you can moved them to shared in Expedition. If they are not shared, you could try export the merged config from Expedition and perform "load config partial" in Panorama CLI to load the security policy to the corresponding device groups https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/use-the-cli/load-configurations/...

 

or

 

use the below move rules function in Panorama GUI to move rules from one device group to another device group https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/manage-device-groups/...

 

Hope this helps!

Tags (1)
Highlighted
L1 Bithead

Re: Migrate Security Rules in multiple device groups with Expedition

 i thought there was a button somewhere to move rule among DG in Expedition. Maybe a feature to add?;)

I'll move the rules manually then from Panorama GUI.

Thank for your reply

 

Highlighted
L3 Networker

Re: Migrate Security Rules in multiple device groups with Expedition

There is a function in export tab if you are converting from multi-vsys or multiple firewalls to multiple device groups, where you can drag and drop the left side's security policy from different vsys  to the  corresponding device groups on the right side and merge the config. But In your scenario , you are converting from single vsys to multiple device groups, so you won't be able to drag and drop the security policy to different device groups.  Please see attached screenshot:

Tags (1)
Highlighted
L1 Bithead

Re: Migrate Security Rules in multiple device groups with Expedition

Yes i agree, but there is no way to clone the rules from one device group to another in Expedition.

And when it is dragged to the right, left content gets empty. So no real solution in my scenario. Panorama GUI is the way to go

Thanks

Highlighted
L5 Sessionator

Re: Migrate Security Rules in multiple device groups with Expedition

You are right. We have an option to move a rule to Shared, but we did not implement a feature to move/clone a rule between different DGs/VSys.

 

We will take note of this need and add it to our list of functionalities we would like to provide in Expedition 2.0, which it is currently under development.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!