ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
Customer has tons of shared Address Objects in Panorama that are used in some panorama rules but also some of these objects are being used in local FW rules. They want to clean up the unused shared objects in Panorama and not push all of these objects to firewalls because they are hitting the address object limits.
Can Expedition be able to correlate what is in Panorama and what is being used locally on the firewall and be able to remove unused shared objects to clean it all up?
my recommendation is to migrate everything to panorama and centrally manage everything.
In panorama you asre able to stop it from pushing addresses that are not locally in use from the local firewall which may help mitigate this issue you are having.
from the panorama admin guide -->Clear the Share Unused Address and Service Objects with Devicescheck box to push only the shared objects that rules reference, or select the check box to re-enable pushing all shared object
expedition like previous versions is capable of removing unallocated objected by going to the 'objects' and clicking the red dot at the bottom right (in expedition it may be in the middle in MT3 if I recall correctly)
thanks @ajr13. the customer is looking to migrating all the local rules to Panorama but that is a huge project that will not start for another month or two, meanwhile they are trying to push panorama rules/objects to the firewall and getting a commit failure because they exceeded the object count. In my lab, Panorama 8.1.1 does not understand that the object pushing down to the firewall is being used by a locally created rule on the FW. At least with 8.1.1 that is the behavior.
If Expedition can do it, then I would recommend that path to the customer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!