- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-04-2018 08:06 AM
Customer has tons of shared Address Objects in Panorama that are used in some panorama rules but also some of these objects are being used in local FW rules. They want to clean up the unused shared objects in Panorama and not push all of these objects to firewalls because they are hitting the address object limits.
Can Expedition be able to correlate what is in Panorama and what is being used locally on the firewall and be able to remove unused shared objects to clean it all up?
Larry
06-04-2018 10:46 AM - edited 06-04-2018 10:46 AM
my recommendation is to migrate everything to panorama and centrally manage everything.
In panorama you asre able to stop it from pushing addresses that are not locally in use from the local firewall which may help mitigate this issue you are having.
from the panorama admin guide -->Clear the Share Unused Address and Service Objects with Devicescheck box to push only the shared objects that rules reference, or select the check box to re-enable pushing all shared object
Additionally,
expedition like previous versions is capable of removing unallocated objected by going to the 'objects' and clicking the red dot at the bottom right (in expedition it may be in the middle in MT3 if I recall correctly)
06-04-2018 02:22 PM
thanks @ajr0. the customer is looking to migrating all the local rules to Panorama but that is a huge project that will not start for another month or two, meanwhile they are trying to push panorama rules/objects to the firewall and getting a commit failure because they exceeded the object count. In my lab, Panorama 8.1.1 does not understand that the object pushing down to the firewall is being used by a locally created rule on the FW. At least with 8.1.1 that is the behavior.
If Expedition can do it, then I would recommend that path to the customer.
Larry
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!