06-21-2017 02:53 PM - edited 06-21-2017 02:53 PM
Hey all,
I use Panaorama to manage our firewalls. At the time of our deployement we simply just migrated the existing ASA configuration to the PAN Firewalls to get them up and running as fast as possible. We would now like to migrate our service ports to App-id. I found out how to do this during Ignite 2017 using the MIgration Tool but it was never very clear on how Panorama fits into the mix.
I imported my Panorama configuration which also listed all of my firewalls. Initially I tried just importing the configuration from a specific firewall but the configuration never appears in the Migration Tool. So I've had to import the entire Panorama configuration to make any changes. I successfully migrated some service ports to applications in the tool. The issue I'm running into is getting this configuration to push to Panorama from the Migration tool. I've tried the API push but the rules that I edit never show up in the configuration that is available to push. I've tried figuring out the Base Configuration and Merging process but I can never get Panroama to acknowledge the changes I have made to my security rules. I've also tried searching on here for any clue to a solution but can't seem to find anything.
Can anyone give me an idea on how to get this to work?
06-22-2017 02:34 PM
I believe I've found a weird work around.
If you generate an API request in Sub Atomic mode versus Atomic mode it will list all the security rules and other configuration. With this method, I scrolled down to the security rule section and looked for the rule(s) I altered. Checked the configuration that is going to be pushed via API and if it was accurate I selected it to be transmitted to Panorama. Here are the steps in order since screen shotting this would be tough.
Thanks for the help with this @acc6d0b3610eec313831f7900fdbd235!
06-21-2017 04:02 PM
HI @JDenton1
The easiest way to transform your policies into App-ID is to add your Panorama device to the Migration Tool Device List.
Once you add your Panorama device, all managed devices will also be imported into the migration tool. After it is done, you then have to double click at the Panorama icon on the device list, and the migration tool will connect to it via API call, and pull all the device groups with the associated policies. The policies you will see, are the ones currently installed (Committed) to your Panorama.
After this is done, you then need to create a Log Connector, that will read the logs from your Panorama and associated the Apps to each policy, and do the App-Reconciliation.
With that complete, you need to go into the create output and select the "API Output Manager" and Generate an API Request, and then "Send API Requests" to the device.
Finally, you need to logon to Panorama, and do a commit. The first commit goes to Panorama, and the second to the device group.
I had a problem similar to your recently, where I had to re-create the project, and re-add the device to the list in order to see the updated policies. Try that if the procedure I explained before does not work.
Let me know if it works.
06-22-2017 12:54 PM - edited 06-22-2017 01:01 PM
Hey @acc6d0b3610eec313831f7900fdbd235 thank you for the reply. So all the basics you mentioned I have done and set. The problem I run into is the API Requests Generation and Push. None of the changes I make to any of the rules I alter shows after I Generate API Requests. In this specific example I have imported the Panorama configuration and alter rule ExacqVision-Allow to use applications instead of ports. I have completed App-id reconcilliation but when I go to Generate API Requests the rule does not show in the list of pending changes, see the screen show below:
If you look at the list of security rules in that screen shot from the Migration tool. The rule I altered doesn't even appear. I've also made no changes to these rules so I'm not sure how they've already been altered and ready to push via API.
I also attempted your trick of recreating the project but it did not work. The rule ExacqVision-Allow remained unaltered from the original Panorama configuration and I had to go through all the steps of App-id reconcilliation again.
Any ideas why the API push isn't showing my alteration?
06-22-2017 01:03 PM
Hi @JDenton1
When you say: "I have Imported the Panorama configuration" what do you mean?
I will assume, that you have exported the Panorama configuration from your Panorama VM, and then imported the XML into the migration tool. Is that correct?
If that's the case, then it will not work to generate the API call. All you need is to add the Panorama device into the device list, and then double click into the Panorama object. This action, will pull all your live Panorama rules into the migration tool, where you will be working on.
06-22-2017 01:06 PM
@acc6d0b3610eec313831f7900fdbd235, apologies for the confusion. I did as you described below. In the Import Configuration tab I have the Panorama VM listed along with all my firewalls. To import my configuraiton I have double clicked on the Panorama VM and all of my configuraiton from each firewall is present on subsequent pages (Manage Policies and etc).
06-22-2017 02:34 PM
I believe I've found a weird work around.
If you generate an API request in Sub Atomic mode versus Atomic mode it will list all the security rules and other configuration. With this method, I scrolled down to the security rule section and looked for the rule(s) I altered. Checked the configuration that is going to be pushed via API and if it was accurate I selected it to be transmitted to Panorama. Here are the steps in order since screen shotting this would be tough.
Thanks for the help with this @acc6d0b3610eec313831f7900fdbd235!
06-22-2017 06:40 PM
That's awesome. I am glad it worked out. Great job. 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
