missing config parts on export

COsterbrink-LIS · ‎05-19-2022

hey,

I migrated a CP81 config and merged it with the PAN base config.

In expedition everything looks fine and everyhting is in place where I would expect it.

when I generate the config for export and download it, I'm missing all interfaces, zones, the address and group objects and service objects in the output (both in XML and set output). In the output I'm only seeing the imported PAN base config and the virtual router and all Security and NAT rules.

so, I have only a part of the device group and a part of the template config in the export.

any ideas how to get this fixed?

best regards,

Chris

lychiang · ‎05-20-2022

Hi @COsterbrink-LIS

Few things to check:

1. Which PAN-OS base config you use, is it a panorama base config , if you are migrated to merge with a existing panorama config, you will need to create a new device group and template in panorama and download the config from panorama

2. Interface in checkpoint config needs to be re-mapped to PAN-OS naming conventions before merge the config

3. When merge the config , you will drag the objects from left panel to right panel accordingly. Refer screenshot below:

COsterbrink-LIS · ‎05-23-2022

Hi @lychiang

thanks for your response!

point 2 and 3 are clear and be not an issue.

regarding point 1 - I added panorama to Expedition and loaded the devices over panorama.

in the project settings I added the two new devices I want to migrate the config to. In the project I loaded the config from one of the devices as base config. that also worked successfully ( i could see the inital config in device group and template). Version of the base config is 10.2.1 (as we need it for a pair of 5420s).

strange thing, one day after my post (I didn't change anything I could export more items (now I also have services, address and address-group objects, the VR and the zones) but still missing the interfaces which are unfortunately 250 vlan interfaces.

so device group is complete and template only missing the interfaces.

best regards,

Chris

lychiang · ‎05-23-2022

Here are the full workflow for your references:

1. Make sure you created a brand new template in Panorama before you retrieve the contents from Expedition, ex: create a new template called "migrationTP" and new device called "migrationDG", commit the config in panorama.

2. In Expedition -> device-> your panorama device -> Click on "Retrieve latest content"

3. Create a new project and import the config from device , this will be your only base config

4. Import the Checkpoint config , fixed all the invalid objects and duplicate objects, re-map the interfaces to PAN-OS config naming conventions.

5. In export tab, you will drag the interface, VR, zone from left to the right under the template "migrationTP", for objects and policy will drag from left to the new device group you created "migrationDG",then click on merge.

6. Export the xml out , search for the interfaces , make sure they are in the xml file before you load it onto panorama.

COsterbrink-LIS · ‎05-23-2022

Hi @lychiang

that's exactly the workflow I used.

In the export everything is availbale except the interface definitions.

the interfaces are referenced in the zones and the VR config correctly but they're missing in the xml and set export.

Meanwhile I did a workaround by exporting the Checkpoint interfaces on CLI and transform them via Notepad++ into set commands. Took me some time but now I can paste them successfully into the template in panorama.

To me it looks like a bug as everything is availabe and if you add another interface manually in the template of the base config in expedition it get's exported as well - only the migrated CP interfaces are missing.

BR

Chris

COsterbrink-LIS · ‎05-27-2022

while working further I also recognized that the routes are missing in ther VR and that the tags are missing as well.

for the missing templates parts a did a manual workaround and build my own set commands and the tags could be exported from Expedition as CSV and I transformed them to set commands too.

I commited this config to Panorama and the Device-Group and then imported this config again to a new project into Expedtion to use it as the base config so I don't have to redo this work everytime again and just need to merge the CP config to it.

the final exproted could be imported successful as xml config file to panorama and gave no validation erros.

turned out there was still missing elements from the device-group part of config. Some service-groups were empty and also some address-groups. No idea why, but could be added via CLI quite quickly.

but still leaves you with a feeling that the output might lack parts of the config

lychiang · ‎06-15-2022

one thing to check is the version of expedition, please use the latest version v1.2.23 if you are using the legacy VM, it is out of date and most likely you will run into issue like this

missing config parts on export

missing config parts on export

Show your appreciation!