05-19-2022 11:09 PM
hey,
I migrated a CP81 config and merged it with the PAN base config.
In expedition everything looks fine and everyhting is in place where I would expect it.
when I generate the config for export and download it, I'm missing all interfaces, zones, the address and group objects and service objects in the output (both in XML and set output). In the output I'm only seeing the imported PAN base config and the virtual router and all Security and NAT rules.
so, I have only a part of the device group and a part of the template config in the export.
any ideas how to get this fixed?
best regards,
Chris
05-20-2022 08:39 AM
Few things to check:
1. Which PAN-OS base config you use, is it a panorama base config , if you are migrated to merge with a existing panorama config, you will need to create a new device group and template in panorama and download the config from panorama
2. Interface in checkpoint config needs to be re-mapped to PAN-OS naming conventions before merge the config
3. When merge the config , you will drag the objects from left panel to right panel accordingly. Refer screenshot below:
05-23-2022 01:17 AM
Hi @lychiang
thanks for your response!
point 2 and 3 are clear and be not an issue.
regarding point 1 - I added panorama to Expedition and loaded the devices over panorama.
in the project settings I added the two new devices I want to migrate the config to. In the project I loaded the config from one of the devices as base config. that also worked successfully ( i could see the inital config in device group and template). Version of the base config is 10.2.1 (as we need it for a pair of 5420s).
strange thing, one day after my post (I didn't change anything I could export more items (now I also have services, address and address-group objects, the VR and the zones) but still missing the interfaces which are unfortunately 250 vlan interfaces.
so device group is complete and template only missing the interfaces.
best regards,
Chris
05-23-2022 09:21 AM - edited 05-23-2022 09:23 AM
Here are the full workflow for your references:
1. Make sure you created a brand new template in Panorama before you retrieve the contents from Expedition, ex: create a new template called "migrationTP" and new device called "migrationDG", commit the config in panorama.
2. In Expedition -> device-> your panorama device -> Click on "Retrieve latest content"
3. Create a new project and import the config from device , this will be your only base config
4. Import the Checkpoint config , fixed all the invalid objects and duplicate objects, re-map the interfaces to PAN-OS config naming conventions.
5. In export tab, you will drag the interface, VR, zone from left to the right under the template "migrationTP", for objects and policy will drag from left to the new device group you created "migrationDG",then click on merge.
6. Export the xml out , search for the interfaces , make sure they are in the xml file before you load it onto panorama.
05-23-2022 11:42 PM
Hi @lychiang
that's exactly the workflow I used.
In the export everything is availbale except the interface definitions.
the interfaces are referenced in the zones and the VR config correctly but they're missing in the xml and set export.
Meanwhile I did a workaround by exporting the Checkpoint interfaces on CLI and transform them via Notepad++ into set commands. Took me some time but now I can paste them successfully into the template in panorama.
To me it looks like a bug as everything is availabe and if you add another interface manually in the template of the base config in expedition it get's exported as well - only the migrated CP interfaces are missing.
BR
Chris
05-27-2022 04:43 AM - edited 06-15-2022 08:02 AM
while working further I also recognized that the routes are missing in ther VR and that the tags are missing as well.
for the missing templates parts a did a manual workaround and build my own set commands and the tags could be exported from Expedition as CSV and I transformed them to set commands too.
I commited this config to Panorama and the Device-Group and then imported this config again to a new project into Expedtion to use it as the base config so I don't have to redo this work everytime again and just need to merge the CP config to it.
the final exproted could be imported successful as xml config file to panorama and gave no validation erros.
turned out there was still missing elements from the device-group part of config. Some service-groups were empty and also some address-groups. No idea why, but could be added via CLI quite quickly.
but still leaves you with a feeling that the output might lack parts of the config
06-15-2022 08:31 AM
one thing to check is the version of expedition, please use the latest version v1.2.23 if you are using the legacy VM, it is out of date and most likely you will run into issue like this
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
