backup local config to panorama?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

backup local config to panorama?

Not applicable

Hi,

We already have an PA appliance installed.

We buy panorama 1 month later.  Mainly because we want to keep logs long time like 2 years of logs.

So we just want to manage Rules set of the PA with panorma, and get all the logs.

First step i try to do is doing  an export/import of the PA to panorama.

There is clear exemple to do that?

For now i only find documentation talking general information of the process, but dont show detail information on how to import/export objects and rules set, from a PA to Panorama.

Maybe there is a Migration Tool that can make this for me?

Its mainly just one rules set that i want to import/export to panorama.  Or maybe i will have to redo all those rules manualy in the panorama?

1 accepted solution

Accepted Solutions

thanks Kevin for help.  Yeah indead i have install the latest PAN-perl :

but I finaly done more reading on PAN API DOC:

The problem was in password of the admin account i use.  I was using a special char in the passwed.

you can read in the api doc : "Any special characters in the password must be URL/percent-encoded."

So i create a new admin, with no_special_char in it.  Then Re-use the URL to regen the Api_KEY

Bingo dev2rama work well now.

I just have to try the rest: getting those rules in Panorama.

==> Just a side note on those that using CentOS Linux BOX :

When installing PAN perl pack v.20120107.

- you need perl  (yum install perl)

then lib :

# yum install perl-Net-SSLeay

# yum install perl-Crypt-SSLeay

(those differ from unbuntu)

and

#yum install perl-lib*

You can do cpan stuff like its show in the PAN-perl-Pack doc

Hope this help.

But i wish Palo Alto add a tools in PANORAMA to retrieve rules in a PA appliance, without having to install dev2rama.

View solution in original post

6 REPLIES 6

L5 Sessionator

Denis,

This document has the required scripts that can help you migrate your config from a standalone PAN to Panorama.

https://live.paloaltonetworks.com/docs/DOC-1911

Thanks,

Sri Darapuneni

hi Sri,

I new to palo alto.  But i know Linux and/or Unix well, and i know firewall like ASA and checkpoint.

So here my question about installing and make work those scripts.  I have read the doc, i need some more information, specialy, where I install those Perl package and script.

I have to install : dev2rama-20110815.tar.gz (3.3 K)  and  PAN-perl-20110828.tar.gz (35.6 K)


I install this directly on the PA-2050 appliance?  Or i have to use a linux box?

Not applicable

Hi, An on other question;

I have install dev2rama on a Linux box. (i still need answer on my precedent message)

I need to understand how to create the api_key.

I need to give that information in the command :

./show.sh ../templates/dev2rama/ 10.X.Y.Z api_key

I have seek on knowledge base, and also in palo alto unit GUI.  For now i didnt find how to generate the api_key.

thankS!

ok i think i have find how to generate the api_KEY:

http://blog.rootshell.be/2012/03/28/are-you-making-the-most-of-your-security-tools/

I have run this on my Linux CentOS box (not over panoramo or PA-2050):

So i suppose i have to install Perl pack and dev tools on panorama?

When i have run this, i get 403 access denied errors messages:

[root@XYZ bin]# ./show.sh ../templates/dev2rama/ 10.X.Y.Z The_api_key_generated

../templates/dev2rama//show/01_address.xpath

Executing:  panxapi -rsx "devices/entry/vsys/entry[@name='vsys1']/address"

show: User not authorized to perform this operation. status="error" code="403"

../templates/dev2rama//show/02_address-group.xpath

Executing:  panxapi -rsx "devices/entry/vsys/entry[@name='vsys1']/address-group"

show: User not authorized to perform this operation. status="error" code="403"

../templates/dev2rama//show/03_service.xpath

Executing:  panxapi -rsx "devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service"

show: User not authorized to perform this operation. status="error" code="403"

On 4.1 you may need to run panxapi -k multiple times to get a key which is not url encoded.  The history behind this is the XML API documentation does not state the key is returned encoded if encoding is needed and panxapi relies on LWP to do the encoding which will encode % for POST, which can result in double encoding if previously encoded.

so run panxapi until the key does not contain percent:

$ panxapi -h 172.29.9.121 -kl admin:admin

keygen: success

API key: "PjA4A1Q2RZrxNcHCnh6PDOHc53F4elJ/%2Bjhg16a8GO0="

this key won't work.

$ panxapi -h 172.29.9.121 -kl admin:admin

keygen: success

API key: "Q8acmLknUVOFt5dXq2LjTfZ8GoyTOZ1UoFPsa7nMIzY="

this key will work.

also, the latest version of PAN-perl is PAN-perl-20120107.

thanks Kevin for help.  Yeah indead i have install the latest PAN-perl :

but I finaly done more reading on PAN API DOC:

The problem was in password of the admin account i use.  I was using a special char in the passwed.

you can read in the api doc : "Any special characters in the password must be URL/percent-encoded."

So i create a new admin, with no_special_char in it.  Then Re-use the URL to regen the Api_KEY

Bingo dev2rama work well now.

I just have to try the rest: getting those rules in Panorama.

==> Just a side note on those that using CentOS Linux BOX :

When installing PAN perl pack v.20120107.

- you need perl  (yum install perl)

then lib :

# yum install perl-Net-SSLeay

# yum install perl-Crypt-SSLeay

(those differ from unbuntu)

and

#yum install perl-lib*

You can do cpan stuff like its show in the PAN-perl-Pack doc

Hope this help.

But i wish Palo Alto add a tools in PANORAMA to retrieve rules in a PA appliance, without having to install dev2rama.

  • 1 accepted solution
  • 3543 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!