Expedition not importing NAT or security policies from PA-3020s running PAN-OS 9.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Expedition not importing NAT or security policies from PA-3020s running PAN-OS 9.1

L1 Bithead

I'm working on a project to upgrade 2 x PA-3020s each with their own configuration into an HA pair of PA-1420s and am having trouble with Expedition. I've tried importing the devices using the API key and also by exporting the running-config.xml file as a superuser and manually importing it into Expedition. Both are giving the same results. My "Project Statistics pane shows 0 Security Rules and 0 Nat Rules, which I think is also making most of my Address objects show up as Ghost. If I open the XML file directly, I see <rulebase> starts on line 4759 and </rulebase> ends on line 19820 so there are definitely rules. This is happening on both of my PA-3020s when I try to import them.

 

I am not using Panorama, just managing each firewall individually.  I've tried to restart the VM and run the version update but I was already on the latest.  All services on the dashboard are green (although after a restart I have to click remediate to get the order agent running).

 

Any thoughts? I haven't added the PA-1420s in yet as they are only connected via serial cables at the moment.  In fact, I just noticed that pa1XXX isn't even an option under models so I'm not sure if this will work at all.  I was really hoping that Expedition would cut a significant amount of time off our config consolidation and migration plan but this isn't looking so great.

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @J.Yarborough ,

 

Does the bottom right drop down say vsys1?  Also, is your Expedition up-to-date?  Send an email to fwmigrate@paloaltonetworks.com and someone will assist.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi @Tom, I've tried switching the options in the bottom right between all/shared/vsys1 and it doesn't seem to help.  On the main dashboard view, it only lets me switch between the config files.  I've tried both PA-3020s that I've connected, as well as a manual export of the config, but each still shows 0 for Service Groups, Security Rules, Nat Rules, and Application Override Rules.  Either way, when I click into Nat Rules for example, it pulls up vsys1 and the message says "Select a vsys with rules".  Same message regardless of config or scope.

 

As for running the latest, I believe so?  I did get a popup saying a newer version was available, but when I ran the commands to update it said I was already on the latest.  The message might have been right after I rebooted the server or something so it might not have been up all the way or something.  My versions are:
Expedition:  1.2.90
Spark Dependencies:  0.1.3-h3
Best Practices:  3.33.0

 

I'll send an email to the address you mentioned.  Thanks!

Cyber Elite
Cyber Elite

Hi @J.Yarborough ,

 

One thing that I forgot is that the 1st PANW config file loaded into Expedition is the base config.  You could try loading the PA-1420 config 1st then the PA-3020.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Well, good news!  I cleared out all of my devices and projects to try and start with the PA-1420 but I noticed an upgrade was available (1.2.90 -> 1.2.90.1).  I ran the update, added my devices back in, created a project, imported, and it seems to see all my objects now!

  • 1619 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!