missing config parts on export

COsterbrink-LIS · ‎05-19-2022

hey,

I migrated a CP81 config and merged it with the PAN base config.

In expedition everything looks fine and everyhting is in place where I would expect it.

when I generate the config for export and download it, I'm missing all interfaces, zones, the address and group objects and service objects in the output (both in XML and set output). In the output I'm only seeing the imported PAN base config and the virtual router and all Security and NAT rules.

so, I have only a part of the device group and a part of the template config in the export.

any ideas how to get this fixed?

best regards,

Chris

lychiang · ‎05-20-2022

Hi @COsterbrink-LIS

Few things to check:

1. Which PAN-OS base config you use, is it a panorama base config , if you are migrated to merge with a existing panorama config, you will need to create a new device group and template in panorama and download the config from panorama

2. Interface in checkpoint config needs to be re-mapped to PAN-OS naming conventions before merge the config

3. When merge the config , you will drag the objects from left panel to right panel accordingly. Refer screenshot below:

COsterbrink-LIS · ‎05-23-2022

Hi @lychiang

thanks for your response!

point 2 and 3 are clear and be not an issue.

regarding point 1 - I added panorama to Expedition and loaded the devices over panorama.

in the project settings I added the two new devices I want to migrate the config to. In the project I loaded the config from one of the devices as base config. that also worked successfully ( i could see the inital config in device group and template). Version of the base config is 10.2.1 (as we need it for a pair of 5420s).

strange thing, one day after my post (I didn't change anything I could export more items (now I also have services, address and address-group objects, the VR and the zones) but still missing the interfaces which are unfortunately 250 vlan interfaces.

so device group is complete and template only missing the interfaces.

best regards,

Chris

lychiang · ‎05-23-2022

Here are the full workflow for your references:

1. Make sure you created a brand new template in Panorama before you retrieve the contents from Expedition, ex: create a new template called "migrationTP" and new device called "migrationDG", commit the config in panorama.

2. In Expedition -> device-> your panorama device -> Click on "Retrieve latest content"

3. Create a new project and import the config from device , this will be your only base config

4. Import the Checkpoint config , fixed all the invalid objects and duplicate objects, re-map the interfaces to PAN-OS config naming conventions.

5. In export tab, you will drag the interface, VR, zone from left to the right under the template "migrationTP", for objects and policy will drag from left to the new device group you created "migrationDG",then click on merge.

6. Export the xml out , search for the interfaces , make sure they are in the xml file before you load it onto panorama.

COsterbrink-LIS · ‎05-23-2022

Hi @lychiang

that's exactly the workflow I used.

In the export everything is availbale except the interface definitions.

the interfaces are referenced in the zones and the VR config correctly but they're missing in the xml and set export.

Meanwhile I did a workaround by exporting the Checkpoint interfaces on CLI and transform them via Notepad++ into set commands. Took me some time but now I can paste them successfully into the template in panorama.

To me it looks like a bug as everything is availabe and if you add another interface manually in the template of the base config in expedition it get's exported as well - only the migrated CP interfaces are missing.

BR

Chris

missing config parts on export

missing config parts on export

Show your appreciation!