This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Import existing config into Panorama woes

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Import existing config into Panorama woes

drewdown
L4 Transporter

‎09-24-2019 07:20 AM - edited ‎09-24-2019 07:25 AM

We have a handful of standalone PAs that we want to import into Panorama.   However in our first interation it failed with the following errors and I am not sure why.  The entire process isn't made clear to me either via PA (like a lot of their stuff but I digress) so I was wondering if anyone has done this and can help point me in the right direction?

 

Commit/validation fails on the following items on the firewall after import/export back to it from the Panorama:

 

 

Validation Error:
log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email 'Test Alerts' is not a valid reference
log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email is invalid
log-settings -> profiles -> Forward to Panorama and Email -> match-list is invalid
log-settings -> profiles is invalid
log-settings is invalid
shared is invalid
rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not an allowed keyword
rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not a valid reference
rulebase -> security -> rules -> outbound-block-all -> from is invalid
rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not an allowed keyword
rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not a valid reference
rulebase -> security -> rules -> outbound-block-all -> to is invalid
rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not an allowed keyword
rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not a valid reference
rulebase -> security -> rules -> untrust-block-all -> from is invalid
rulebase -> security -> rules is invalid
rulebase -> security is invalid
rulebase is invalid
vsys is invalid
devices is invalid
In VSYS vsys1 from zone trust of type unknown and to zone untrust of type unknown are incompatible in security rule outbound-block-all
Configuration is invalid

 

 

pan-post.JPG

 

2 errors when trying to do this, both of which appear to be originating from the PAN > FW.

  • The first one is a log setting on the 'outbound-block-all' rule on the PAN.  That specific log settings doesn't exist on the FW. 
  • Again same rule that is already on the PAN in 'Post Rules,' its shared between all of our existing DGs on the PAN.   The only difference between the zones on the FW and the PAN is the first letter is capitalized which I assume is why it chokes? 

I changed the zone names to match on the FW but not sure what to do about the log/email settings?  Also not sure why its complaining about 'shared' as well.  

0 Likes Likes
2 REPLIES 2

MichaelShelton
L0 Member

‎09-24-2019 10:25 AM

Drewdown,

 

not sure if you fixed this already...

 

2 errors when trying to do this, both of which appear to be originating from the PAN > FW.

  • The first one is a log setting on the 'outbound-block-all' rule on the PAN.  That specific log settings doesn't exist on the FW. 

I think you may have to turn off log forwarding on the panorama 

 

Before importing the security policies, you need to disable logging to Panorama. On the firewall, either modify your log forwarding profile to remove Panorama, or edit each security policy and set the log forwarding profile to none:

 

 

 
 
  • Again same rule that is already on the PAN in 'Post Rules,' its shared between all of our existing DGs on the PAN.   The only difference between the zones on the FW and the PAN is the first letter is capitalized which I assume is why it chokes? 

The name zone name makes a difference and should be the same

 

0 Likes Likes

drewdown
L4 Transporter
In response to MichaelShelton

‎09-24-2019 10:50 AM

@MichaelShelton 

 

I changed the zone names on the FW to all lowercase and committed it but when I did that the tunnel between that FW and our on-prem FW went down.  I had to bounce the tunnel to get it passing traffic again....odd but whatever.

 

As far as the logging goes I am not logging anything to Panorama on the FW.   Those 'Test-Alerts' are configured on the Panorama and pushed to my other managed PANs.   On the FW I am trying to import logging is only set to 'Log at Session End' and Forwarding set to 'none' on every policy. 


Are you are saying to disable the log settings on the 2 shared POST security policies on the PANORAMA?  This stuff is so cryptic, sometimes I love PAN and other times I want to beat it like a red headed stepchild. 

 

 

0 Likes Likes
  • 5374 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks