Import existing config into Panorama woes

Reply
Highlighted
L4 Transporter

Import existing config into Panorama woes

We have a handful of standalone PAs that we want to import into Panorama.   However in our first interation it failed with the following errors and I am not sure why.  The entire process isn't made clear to me either via PA (like a lot of their stuff but I digress) so I was wondering if anyone has done this and can help point me in the right direction?

 

Commit/validation fails on the following items on the firewall after import/export back to it from the Panorama:

 

 

Validation Error:
log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email 'Test Alerts' is not a valid reference
log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email is invalid
log-settings -> profiles -> Forward to Panorama and Email -> match-list is invalid
log-settings -> profiles is invalid
log-settings is invalid
shared is invalid
rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not an allowed keyword
rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not a valid reference
rulebase -> security -> rules -> outbound-block-all -> from is invalid
rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not an allowed keyword
rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not a valid reference
rulebase -> security -> rules -> outbound-block-all -> to is invalid
rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not an allowed keyword
rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not a valid reference
rulebase -> security -> rules -> untrust-block-all -> from is invalid
rulebase -> security -> rules is invalid
rulebase -> security is invalid
rulebase is invalid
vsys is invalid
devices is invalid
In VSYS vsys1 from zone trust of type unknown and to zone untrust of type unknown are incompatible in security rule outbound-block-all
Configuration is invalid

 

 

pan-post.JPG

 

2 errors when trying to do this, both of which appear to be originating from the PAN > FW.

  • The first one is a log setting on the 'outbound-block-all' rule on the PAN.  That specific log settings doesn't exist on the FW. 
  • Again same rule that is already on the PAN in 'Post Rules,' its shared between all of our existing DGs on the PAN.   The only difference between the zones on the FW and the PAN is the first letter is capitalized which I assume is why it chokes? 

I changed the zone names to match on the FW but not sure what to do about the log/email settings?  Also not sure why its complaining about 'shared' as well.  

Highlighted
L0 Member

Drewdown,

 

not sure if you fixed this already...

 

2 errors when trying to do this, both of which appear to be originating from the PAN > FW.

  • The first one is a log setting on the 'outbound-block-all' rule on the PAN.  That specific log settings doesn't exist on the FW. 

I think you may have to turn off log forwarding on the panorama 

 

Before importing the security policies, you need to disable logging to Panorama. On the firewall, either modify your log forwarding profile to remove Panorama, or edit each security policy and set the log forwarding profile to none:

 

 

 
 
  • Again same rule that is already on the PAN in 'Post Rules,' its shared between all of our existing DGs on the PAN.   The only difference between the zones on the FW and the PAN is the first letter is capitalized which I assume is why it chokes? 

The name zone name makes a difference and should be the same

 

Highlighted
L4 Transporter

@MichaelShelton 

 

I changed the zone names on the FW to all lowercase and committed it but when I did that the tunnel between that FW and our on-prem FW went down.  I had to bounce the tunnel to get it passing traffic again....odd but whatever.

 

As far as the logging goes I am not logging anything to Panorama on the FW.   Those 'Test-Alerts' are configured on the Panorama and pushed to my other managed PANs.   On the FW I am trying to import logging is only set to 'Log at Session End' and Forwarding set to 'none' on every policy. 


Are you are saying to disable the log settings on the 2 shared POST security policies on the PANORAMA?  This stuff is so cryptic, sometimes I love PAN and other times I want to beat it like a red headed stepchild. 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!