Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Easiest way to find and replace Interfaces

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Easiest way to find and replace Interfaces

L2 Linker

What is an easy way to find and replace Palo Alto interfaces?

 

Let's say for example I am combining a bunch of interfaces such as ethernet1/9 and ethernet 1/10 into an aggregation group (i.e. ae1) and adding these as tagged VLANS i.e. ae1.123, ae1.456

 

Q: Is there an easy way to migrate over replacing the Interfaces for all the NAT rules, IKE Gateways, Static Routes, etc.?

1 REPLY 1

L2 Linker

I recently had to do something very similar and documented my procedure.  First I tried it in Expedition which is what the tool was designed for but it just wouldn't work for me.  I moved my subinterfaces from one ae to another this way:

## set panorama to display output in "set" commands, set panorama to "no-more" output
admin@firewall(primary-active)> set cli config-output-format set
admin@firewall(primary-active)> set cli pager off
admin@firewall(primary-active)> configure
Entering configuration mode
[edit]

## from panorama, show the configuration matching the interface being migrated
admin@firewall(primary-active)# show | match ae2.117
**set template TEMPLATE config vsys vsys1 zone ZONE network layer3 ae2.117
**set template TEMPLATE config vsys vsys1 import network interface [ ae2 ae2.900 ae2.901 ae2.902 ae2.903 loopback.1 vlan loopback tunnel ae2.3600 ae2.3106 ae2.1505 ae2.1503 ae2.1502 ae2.1500 ae2.303 ae2.115 ae2.432 ae2.117 ae2.668 ae2.3005 ae2.4011 ae2.116 ae2.762 ae2.1621 ae2.2005 ae2.2040 ae2.700 sdwan ae3 ae3.411 ]
**set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 ipv6 neighbor-discovery router-advertisement enable no
set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 ndp-proxy enabled no
set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 adjust-tcp-mss enable no
set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 ip 10.x.x.x/29
set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 interface-management-profile ping-only
set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 tag 117
set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 comment ZONE
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp auth-profile BGP_AUTH secret xxxxxxx
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp auth-profile BGP_AUTH secret xxxxxxx
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer ZONE connection-options authentication spn-FW-ae2_117
**set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer ZONE local-address interface ae2.117
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer ZONE connection-options authentication spn-FW2-ae2_117
**set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer ZONE local-address interface ae2.117
**set template TEMPLATE config network virtual-router DEFAULT-VR interface [ ae2 ae2.115 ae2.116 ae2.117 ae2.303 ae2.432 ae2.668 ae2.700 ae2.762 ae2.900 ae2.901 ae2.902 ae2.903 ae2.1500 ae2.1502 ae2.1503 ae2.1505 ae2.1621 ae2.2005 ae2.2040 ae2.3005 ae2.3106 ae2.3600 ae2.4011 loopback.1 ae3.411 ]
[edit]

## the only configuration we need to remove have been marked with ** at the beginning of the line

## remove the sub-interfaces from the BGP peer-group by temporarily replacing them with loopbacks (this will preserve the bgp-peer config while allowing us to delete the sub-interface)
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1 local-address interface loopback.1
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2 local-address interface loopback.1

## delete the sub-interface from the VR
delete template TEMPLATE config network virtual-router DEFAULT-VR interface ae2.117

## delete the sub-interface from the zone
delete template TEMPLATE config vsys vsys1 zone ZONE network layer3 ae2.117

## delete the sub-interface from the vsys
delete template TEMPLATE config vsys vsys1 import network interface ae2.117

## delete the sub-interface from the old AE
delete template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117

-------------

## create the new sub-interface on new AE
set template TEMPLATE config network interface aggregate-ethernet ae3 layer3 units ae3.117 tag 117
set template TEMPLATE config network interface aggregate-ethernet ae3 layer3 units ae3.117 comment ZONE
set template TEMPLATE config network interface aggregate-ethernet ae3 layer3 units ae3.117 ip 10.x.x.x/29
set template TEMPLATE config network interface aggregate-ethernet ae3 layer3 units ae3.117 interface-management-profile ping-only

## import the new interface to the correct vsys
set template TEMPLATE config vsys vsys1 import network interface ae3.117

## add the new interface to the zone
set template TEMPLATE config vsys vsys1 zone ZONE network layer3 ae3.117

## add the new interface to the VR
set template TEMPLATE config network virtual-router DEFAULT-VR interface ae3.117

## add the new subinterface to the BGP peer-group (replacing the loopback placeholder)
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1_ZONE local-address interface ae3.117
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2_ZONE local-address interface ae3.117

## add the peer AS back to the peer-group
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1_ZONE peer-as 64892
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2_ZONE peer-as 64892

## add the IP's back to the peer-group
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1_ZONE local-address ip 10.x.x.x/29
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1_ZONE peer-address ip 10.x.x.x
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2_ZONE local-address ip 10.x.x.x/29
set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2_ZONE peer-address ip 10.x.x.x

## all of the other configuration (Policies, additional BGP config, will not be changed)

 

 

 

 

 

  • 1973 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!