Palo Alto to Palo Alto expedition not generating XML - HELP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto to Palo Alto expedition not generating XML - HELP

L2 Linker

Hello there,

 

I imported the configuration of a PA-5050 to Expedition to make some changes till a new PA-3260 arrived to the office. I did the changes, and imported a new base config of the PA-3260. I migrated all network and device objects (policies, IPSec VPN, etc.) to the base config (PA-3260) and merged it "successfully". However,  when hitting the button "Generate XML & SET Output" it justs hangs in Generating Profiles vsys/dg:shared. See screenshot below:

Does not generate XML profileDoes not generate XML profile

Please advise as how to fix this, I need to migrate this on Wednesday! (only 1 day left). I have done a cisco ASA to Palo Alto migration without any problems... not sure why Palo Alto to Palo Alto will give me problems. 

 

Expedtion VM:  version 1.0.92

Best Practice version: 3.0.6

 

@alestevez Please advise.

You can contact me directly via email: erivera@cortelcopr.com

 

Regards,

Edwardo S. Rivera

7 REPLIES 7

L3 Networker

Try opening another browser and make sure the services are still running.

@bagherib Thanks for the reply.

 

What you mean by services? If you mean the status, is still on:

dashboards.png

 

 

Please help.. Also, the response pages does not want to export to the base config:

response pages not migrting.png

It does not let me to migrate the response pages and I need to.. they are being in use.

 

Correct, if "Status" was red, that means the Expedition services are not running, that happened once and it hung in the same spot as yours.  I re-started it and it worked the 2nd time.

Thanks, but I checked it and it looks fine.

 

@alestevez:

I upgrade to the latest version and now instead of just hanging, it logs me out of the platform GUI!

I also noticed, is the PA-3260  model supported by the Expedition VM? I dont see listed it, no rthe PAN-OS 8.1 version which the PA-3260 comes from by default from Palo Alto.PA 3260 not in expedition.PNG 

Please advise as I dont have any more type of troubleshooting at my disposal right now... 

something is breaking the generation of the xml so we need to see the output from the command

 

sudo tail -100 /tmp/error

Here is the log:

 

expedition@Expedition:~$ sudo tail -100 /tmp/error
[sudo] password for expedition:
                [6]=>
                string(3) "exe"
                [7]=>
                string(5) "flash"
                [8]=>
                string(3) "hlp"
                [9]=>
                string(3) "hta"
                [10]=>
                string(3) "msi"
                [11]=>
                string(20) "Multi-Level-Encoding"
                [12]=>
                string(3) "ocx"
                [13]=>
                string(3) "pif"
                [14]=>
                string(3) "rar"
                [15]=>
                string(3) "scr"
                [16]=>
                string(3) "tar"
                [17]=>
                string(7) "torrent"
                [18]=>
                string(3) "vbe"
                [19]=>
                string(3) "wsf"
              }
            }
            ["direction"]=>
            string(4) "both"
            ["action"]=>
            string(5) "block"
          }
          [1]=>
          object(SimpleXMLElement)#108 (5) {
            ["@attributes"]=>
            array(1) {
              ["name"]=>
              string(31) "Continue prompt encrypted files"
            }
            ["application"]=>
            object(SimpleXMLElement)#74 (1) {
              ["member"]=>
              string(3) "any"
            }
            ["file-type"]=>
            object(SimpleXMLElement)#107 (1) {
              ["member"]=>
              array(2) {
                [0]=>
                string(13) "encrypted-rar"
                [1]=>
                string(13) "encrypted-zip"
              }
            }
            ["direction"]=>
            string(4) "both"
            ["action"]=>
            string(8) "continue"
          }
          [2]=>
          object(SimpleXMLElement)#100 (5) {
            ["@attributes"]=>
            array(1) {
              ["name"]=>
              string(24) "Log all other file types"
            }
            ["application"]=>
            object(SimpleXMLElement)#107 (1) {
              ["member"]=>
              string(3) "any"
            }
            ["file-type"]=>
            object(SimpleXMLElement)#74 (1) {
              ["member"]=>
              string(3) "any"
            }
            ["direction"]=>
            string(4) "both"
            ["action"]=>
            string(5) "alert"
          }
        }
      }
      ["description"]=>
      string(94) "strict - change as needed. zip and rar allowed with continue. allow PE and .cab for ms-updates"
    }
  }
}
bool(false)

Fatal error: Uncaught Exception: Wrong type of input parameters, expected SimpleXMLElement key:value: in /var/www/html/libs/xmlapi.php:1746
Stack trace:
#0 /var/www/html/libs/common/xml/panosxml.php(1458): SimpleXMLElement_append(Object(SimpleXMLElement), false)
#1 /var/www/html/bin/configurations/output/output_function.php(274): xml_profiles(Object(SimpleXMLElement), Array, Array)
#2 /var/www/html/bin/configurations/output/output_function.php(25): generate_xml(Array, '4')
#3 {main}
  thrown in /var/www/html/libs/xmlapi.php on line 1746

I am able to generate a snapshot with only best practice remediation, but not with the remap of interfaces nor the security profiles. I will try just doinf the remap since based on the error looks like something is wrong with the profiles.

Hello Edwardo,

 

Were you able to resolve this issue? I'm experiencing the same thing today. I've restarted the service, restarted the VM and tried looking at the same logs, but nothing is standing out. 

 

Thank you,

  • 7867 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!