App-id and Migration Tool with Panorama

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
JDenton1
L1 Bithead

App-id and Migration Tool with Panorama

Hey all,

 

I use Panaorama to manage our firewalls. At the time of our deployement we simply just migrated the existing ASA configuration to the PAN Firewalls to get them up and running as fast as possible. We would now like to migrate our service ports to App-id. I found out how to do this during Ignite 2017 using the MIgration Tool but it was never very clear on how Panorama fits into the mix.

 

I imported my Panorama configuration which also listed all of my firewalls. Initially I tried just importing the configuration from a specific firewall but the configuration never appears in the Migration Tool. So I've had to import the entire Panorama configuration to make any changes. I successfully migrated some service ports to applications in the tool. The issue I'm running into is getting this configuration to push to Panorama from the Migration tool. I've tried the API push but the rules that I edit never show up in the configuration that is available to push. I've tried figuring out the Base Configuration and Merging process but I can never get Panroama to acknowledge the changes I have made to my security rules. I've also tried searching on here for any clue to a solution but can't seem to find anything.

 

Can anyone give me an idea on how to get this to work?


Accepted Solutions
JDenton1
L1 Bithead

I believe I've found a weird work around.

 

If you generate an API request in Sub Atomic mode versus Atomic mode it will list all the security rules and other configuration. With this method, I scrolled down to the security rule section and looked for the rule(s) I altered. Checked the configuration that is going to be pushed via API and if it was accurate I selected it to be transmitted to Panorama. Here are the steps in order since screen shotting this would be tough.

 

  1. Make changes to the rule or item in the migration tool after following @Willian's advice about loading Panorama into the tool
  2. Head to the Create Output tab and click on API Output Manager on the left
  3. Select Panorama from the device selection on the bottom left
  4. Select SubAtomic
  5. Click Generate API Requests
  6. Find the rule(s) you altered. Double click on them once found to verify what changes are being pushed.
  7. If everything looks accurate, click the Send API Requests.
  8. Validate the configuration changes on Panorama and then Commit to Panorama
  9. Then Commit to the Device Group

 

Thanks for the help with this @Willian!

 

  

View solution in original post


All Replies
Willian
L4 Transporter

HI @JDenton1

 

The easiest way to transform your policies into App-ID is to add your Panorama device to the Migration Tool Device List.

 

Once you add your Panorama device, all managed devices will also be imported into the migration tool. After it is done, you then have to double click at the Panorama icon on the device list, and the migration tool will connect to it via API call, and pull all the device groups with the associated policies. The policies you will see, are the ones currently installed (Committed) to your Panorama.

 

After this is done, you then need to create a Log Connector, that will read the logs from your Panorama and associated the Apps to each policy, and do the App-Reconciliation.

 

With that complete, you need to go into the create output and select the "API Output Manager" and Generate an API Request, and then "Send API Requests" to the device.

 

Finally, you need to logon to Panorama, and do a commit. The first commit goes to Panorama, and the second to the device group.

 

I had a problem similar to your recently, where I had to re-create the project, and re-add the device to the list in order to see the updated policies. Try that if the procedure I explained before does not work.

 

Let me know if it works.

JDenton1
L1 Bithead

Hey @Willian thank you for the reply. So all the basics you mentioned I have done and set. The problem I run into is the API Requests Generation and Push. None of the changes I make to any of the rules I alter shows after I Generate API Requests. In this specific example I have imported the Panorama configuration and alter rule ExacqVision-Allow to use applications instead of ports. I have completed App-id reconcilliation but when I go to Generate API Requests the rule does not show in the list of pending changes, see the screen show below:

 

PAN1.png

 

If you look at the list of security rules in that screen shot from the Migration tool. The rule I altered doesn't even appear. I've also made no changes to these rules so I'm not sure how they've already been altered and ready to push via API.

 

I also attempted your trick of recreating the project but it did not work. The rule ExacqVision-Allow remained unaltered from the original Panorama configuration and I had to go through all the steps of App-id reconcilliation again. 

 

Any ideas why the API push isn't showing my alteration?

Willian
L4 Transporter

Hi @JDenton1

 

When you say: "I have Imported the Panorama configuration" what do you mean?

I will assume, that you have exported the Panorama configuration from your Panorama VM, and then imported the XML into the migration tool. Is that correct?

 

If that's the case, then it will not work to generate the API call. All you need is to add the Panorama device into the device list, and then double click into the Panorama object. This action, will pull all your live Panorama rules into the migration tool, where you will be working on. 

 

JDenton1
L1 Bithead

@Willian, apologies for the confusion. I did as you described below. In the Import Configuration tab I have the Panorama VM listed along with all my firewalls. To import my configuraiton I have double clicked on the Panorama VM and all of my configuraiton from each firewall is present on subsequent pages (Manage Policies and etc).

 

 

 

JDenton1
L1 Bithead

I believe I've found a weird work around.

 

If you generate an API request in Sub Atomic mode versus Atomic mode it will list all the security rules and other configuration. With this method, I scrolled down to the security rule section and looked for the rule(s) I altered. Checked the configuration that is going to be pushed via API and if it was accurate I selected it to be transmitted to Panorama. Here are the steps in order since screen shotting this would be tough.

 

  1. Make changes to the rule or item in the migration tool after following @Willian's advice about loading Panorama into the tool
  2. Head to the Create Output tab and click on API Output Manager on the left
  3. Select Panorama from the device selection on the bottom left
  4. Select SubAtomic
  5. Click Generate API Requests
  6. Find the rule(s) you altered. Double click on them once found to verify what changes are being pushed.
  7. If everything looks accurate, click the Send API Requests.
  8. Validate the configuration changes on Panorama and then Commit to Panorama
  9. Then Commit to the Device Group

 

Thanks for the help with this @Willian!

 

  

View solution in original post

Willian
L4 Transporter

@JDenton1

That's awesome. I am glad it worked out. Great job. :) 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!