08-07-2012 11:52 AM
Hi,
We already have an PA appliance installed.
We buy panorama 1 month later. Mainly because we want to keep logs long time like 2 years of logs.
So we just want to manage Rules set of the PA with panorma, and get all the logs.
First step i try to do is doing an export/import of the PA to panorama.
There is clear exemple to do that?
For now i only find documentation talking general information of the process, but dont show detail information on how to import/export objects and rules set, from a PA to Panorama.
Maybe there is a Migration Tool that can make this for me?
Its mainly just one rules set that i want to import/export to panorama. Or maybe i will have to redo all those rules manualy in the panorama?
08-09-2012 11:50 AM
thanks Kevin for help. Yeah indead i have install the latest PAN-perl :
but I finaly done more reading on PAN API DOC:
The problem was in password of the admin account i use. I was using a special char in the passwed.
you can read in the api doc : "Any special characters in the password must be URL/percent-encoded."
So i create a new admin, with no_special_char in it. Then Re-use the URL to regen the Api_KEY
Bingo dev2rama work well now.
I just have to try the rest: getting those rules in Panorama.
==> Just a side note on those that using CentOS Linux BOX :
When installing PAN perl pack v.20120107.
- you need perl (yum install perl)
then lib :
# yum install perl-Net-SSLeay
# yum install perl-Crypt-SSLeay
(those differ from unbuntu)
and
#yum install perl-lib*
You can do cpan stuff like its show in the PAN-perl-Pack doc
Hope this help.
But i wish Palo Alto add a tools in PANORAMA to retrieve rules in a PA appliance, without having to install dev2rama.
08-07-2012 04:53 PM
Denis,
This document has the required scripts that can help you migrate your config from a standalone PAN to Panorama.
https://live.paloaltonetworks.com/docs/DOC-1911
Thanks,
Sri Darapuneni
08-09-2012 06:57 AM
hi Sri,
I new to palo alto. But i know Linux and/or Unix well, and i know firewall like ASA and checkpoint.
So here my question about installing and make work those scripts. I have read the doc, i need some more information, specialy, where I install those Perl package and script.
I have to install : dev2rama-20110815.tar.gz (3.3 K) and PAN-perl-20110828.tar.gz (35.6 K)
I install this directly on the PA-2050 appliance? Or i have to use a linux box?
08-09-2012 09:01 AM
Hi, An on other question;
I have install dev2rama on a Linux box. (i still need answer on my precedent message)
I need to understand how to create the api_key.
I need to give that information in the command :
./show.sh ../templates/dev2rama/ 10.X.Y.Z api_key
I have seek on knowledge base, and also in palo alto unit GUI. For now i didnt find how to generate the api_key.
thankS!
08-09-2012 10:39 AM
ok i think i have find how to generate the api_KEY:
http://blog.rootshell.be/2012/03/28/are-you-making-the-most-of-your-security-tools/
I have run this on my Linux CentOS box (not over panoramo or PA-2050):
So i suppose i have to install Perl pack and dev tools on panorama?
When i have run this, i get 403 access denied errors messages:
[root@XYZ bin]# ./show.sh ../templates/dev2rama/ 10.X.Y.Z The_api_key_generated
../templates/dev2rama//show/01_address.xpath
Executing: panxapi -rsx "devices/entry/vsys/entry[@name='vsys1']/address"
show: User not authorized to perform this operation. status="error" code="403"
../templates/dev2rama//show/02_address-group.xpath
Executing: panxapi -rsx "devices/entry/vsys/entry[@name='vsys1']/address-group"
show: User not authorized to perform this operation. status="error" code="403"
../templates/dev2rama//show/03_service.xpath
Executing: panxapi -rsx "devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service"
show: User not authorized to perform this operation. status="error" code="403"
08-09-2012 11:01 AM
On 4.1 you may need to run panxapi -k multiple times to get a key which is not url encoded. The history behind this is the XML API documentation does not state the key is returned encoded if encoding is needed and panxapi relies on LWP to do the encoding which will encode % for POST, which can result in double encoding if previously encoded.
so run panxapi until the key does not contain percent:
$ panxapi -h 172.29.9.121 -kl admin:admin
keygen: success
API key: "PjA4A1Q2RZrxNcHCnh6PDOHc53F4elJ/%2Bjhg16a8GO0="
this key won't work.
$ panxapi -h 172.29.9.121 -kl admin:admin
keygen: success
API key: "Q8acmLknUVOFt5dXq2LjTfZ8GoyTOZ1UoFPsa7nMIzY="
this key will work.
also, the latest version of PAN-perl is PAN-perl-20120107.
08-09-2012 11:50 AM
thanks Kevin for help. Yeah indead i have install the latest PAN-perl :
but I finaly done more reading on PAN API DOC:
The problem was in password of the admin account i use. I was using a special char in the passwed.
you can read in the api doc : "Any special characters in the password must be URL/percent-encoded."
So i create a new admin, with no_special_char in it. Then Re-use the URL to regen the Api_KEY
Bingo dev2rama work well now.
I just have to try the rest: getting those rules in Panorama.
==> Just a side note on those that using CentOS Linux BOX :
When installing PAN perl pack v.20120107.
- you need perl (yum install perl)
then lib :
# yum install perl-Net-SSLeay
# yum install perl-Crypt-SSLeay
(those differ from unbuntu)
and
#yum install perl-lib*
You can do cpan stuff like its show in the PAN-perl-Pack doc
Hope this help.
But i wish Palo Alto add a tools in PANORAMA to retrieve rules in a PA appliance, without having to install dev2rama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
