11-28-2021 06:02 PM
Hi
I have converted all objects to Shared and this picture illustrates what I think is the correct mappings of each element. Please confirm/correct as necessary. Thanks!
11-28-2021 09:01 PM
Well, I tried that and I don't think it's working correctly.
I guess I need step-by-step assistance on what to do from that pre-merge screenshot. While I did have a pretty lengthy thread on all of the problems I had with an ASA conversion last year, that thread isn't helping me here. Nothing is working as expected.
Actually, perhaps starting at the beginning would help - do I only choose Panorama or do I also select the target firewall cluster? That point wasn't covered in the ASA video series as it was firewall to firewall with no Panorama.
Was I correct in converting all objects to Shared?
11-29-2021 08:33 AM
Hello @justamoment
I am not sure how a object can be shared in the SRX platform but you would need to first migrate over the objects into the Panorama device and merge it then convert it to shared since that is what we use on our end. I think you may have first made it shared within the SRX environment then tried to merge it which will not work.
11-29-2021 08:40 AM - edited 11-29-2021 08:43 AM
Ok. I have lots of snapshots pre-merge so let me check for that.
Do I have the mappings correct in the screenshot except for the Objects? If the Objects are wrong (shouldn't go to shared), where do I put them? The new cluster's DG?
Also, while the SRX doesn't do Global rules (zone-less), it does have what are called Global objects but I don't know if that's the same thing as PAN's Shared objects (all of our SRX objects are Global).
11-29-2021 10:08 AM
Hello @justamoment
That is fine you should be able to just dump them into the shared section with no problems unless you were planning on not having them become a shared object.
11-29-2021 10:10 AM
Oh, I definitely want them to be Shared objects - all of our objects are Shared. Do I drop them as in the Shared in the DG section as indicated in the screenshot?
11-30-2021 10:53 AM
At some point, my objects became a mix of vsys & shared. Below is the Export page and a snippet of address objects showing vsys vs. shared:
So, how do I map those? Like this:
Or do I need to go back to an old snapshot (from 2 days ago 😕 ) from before shared appeared?
11-30-2021 11:30 AM
You could always just migrate them over into the Panorama side then select them and convert to shared as an option, they show vsys now but if you right click and hit convert to shared it should move it to shared after exporting them to the panorama configuration.
11-30-2021 01:26 PM
I think I've figured out when the Address Objects get jumbled from all vsys to 1568 shared. What's also strange is if I "filter" on vsys1 it shows all of them where shared only shows the ones showing shared.
What I found is that the Address Objects changed after I merged the duplicate Address Groups.
Should I just not clean anything up except invalids, merge configs, and then cleanup the duplicates? Or maybe, only cleanup the duplicates that don't cause the change to shared?
11-30-2021 02:48 PM
Hello @justamoment
If you have a duplicate in the shared and vsys1 and you merge them then the shared should always take priority within that merge, so if you are cleaning it up that way you will accomplish what you would like to accomplish if the environment exist like that right now.
11-30-2021 03:20 PM
That makes sense - I just wasn't expecting changing groups to affect address objects.
11-30-2021 03:31 PM
So do I have the mappings correct with a mix of shared & vsys objects in my last screenshot?
11-30-2021 03:49 PM
Yes that looks accurate to me if I understand what you are doing.
11-30-2021 04:03 PM
I think the Network section is pretty self-explanatory.
1) Left | Shared | Objects to Right | DG | shared (created by cleaning up duplicates)
2) Left | Objects and Left | Policies to Right | DG | CORE-FW1
3) Left | Zones (or vsys1 + zones) to Right | Template | CORE-FW1 | Device | vsys1
Alternately, as mentioned above, I could just not cleanup the object duplicates to avoid the conversion to shared and clean them up post-export-merge.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
