04-03-2019 05:24 AM
I have ended up in a bit of an odd situation with an undesirable result 😕
In the process of importing CSV's from an unsupported source, I have ended up importing an entire rulebase into the "shared" VSYS of a standalone base firewall config. This might be OK for objects, or a rulebase in Panorama, but not a valid config for a standalone device.
To make matters worse, I have augmented the policy with a ton of new rules from a design document - mostly manual work. Many hours have gone into this and it's now ready to export to the target gateway.
Only one thing - there is no shared policy in the export (I guess because it's not a valid thing).
The policy can still be editied in config.xml -> shared, all I need is to move the rules to vsys1 or get them in the exported xml. I don't have time to build this rulebase again.
Help me @alestevez, you're my only hope!
04-03-2019 08:57 AM
you are right, you could cut the policy from shared and paste into the rulebase under vsys1 and that's it 🙂 Only check to do if there is a rulename duplicated after the paste 🙂
04-03-2019 04:05 PM
Thanks @alestevez ! Unfortunately I am unable to cut and paste the rulebase in Expedition - ctrl-c / ctrl-v doesn't seem to work and there's no cut/paste in the rule context menus.
The Move button would be great if it supported move to a different rulebase like Panorama but it doesn't have the option.
Any other ideas?
04-03-2019 11:38 PM
Unless there is a bug in the version you are using, not sure how your security rules were imported to 'shared' as choosing that option will not import into the target config.
Per the attached screenshot you need to choose from the available vsys to import the security policies into.
Can you post a screenshot showing the security policies were added to shared?
04-04-2019 12:51 AM
I'm running expedition-beta/unknown 1.1.11 amd64
I can replicate in an entirely new project, importing a VA base config (it can only have one vsys 🙂 )
It has existing rules in vsys1, but we'll demonstrate by importing a simple CSV into the shared vsys:
04-04-2019 02:15 AM
what you can do is reimport the security policies but choose 'vsys 1' as your target.
If you see those security policies in vsys 1, Then go back into the configuration and delete the rules listed in 'Shared'
04-04-2019 02:53 AM
I was trying to avoid that 🙂
A good chunk of my rules were hand-rolled in Expedition, stupidly evolving this unusable policy.
I need a way to export these orphaned shared rules, if there was a way to move them from shared to vsys1. We can do the reverse (convert a rule in vsys1 to shared) but not the other way around.
04-04-2019 03:10 AM
Looking into it, will get back to you in a few mins
04-04-2019 03:57 AM - edited 04-04-2019 04:28 AM
here's one option you can try:
Filter the display to display only the 'Shared' policies (bottom right hand selection choose 'Shared')
Choose 'Export to Excel' in the upper right hand corner menu
After opening in excel, save the file to CSV format and reimport (using the import CSV option) into vsys1
You will need to edit the CSV file and replace the commas with semi-colons which are the separators used by the CSV import
This will include any changes you had made to those security policies. You will also have to perform those same steps to any objects (Address, groups, services groups) that were moved into shared.
04-04-2019 04:40 AM
Thanks for the tip sjanita!
Looks like this is my only option, although the individual cells have carriage returns for multiple entries. I'm sure with a bit of NP++-fu I can whip this into shape 🙂
04-07-2019 10:49 PM
@alestevez I'm considering trying to do this in the DB instead, if there's a way I can dump the table that contains the invalid 'shared' polciy and import it into the vsys1 table?
Any hints? 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!