I am setting up a PA-VM50 that is in an isolated environment solely for testing any changes before we deploy to our production physical Palo's managed by Panorama template and template stack in a device group.
I would like to save myself a heck load of time by being able to import most of the object configuration and pre-rulebases. I don't mind configuring the interfaces on the VM, I can already do that with Ansible easily. But making 300+ rules and their objects is not a fun prospect even with the help of Ansible or Python.
I have checked out a few things so far and my initial investigations and attempts have been a failure. I would appreciate any feedback regarding what has worked for you or what I should try etc or what tools I should look at to do this and any relevant documentation to go through.
Thanks in advance for any help regarding this!
you might be able to pull the PN cfg into Expedition with the base config from your VM to produce XML for a load merge, API cfg push, or to parse objects from the file for Ansible.
Correct me if my understanding is wrong!!!
You have physical box managed from Panorama. Now you want to import all the configuration available on the box (Panorama pushed + Local) to the Test VM. And this VM will be locally managed i.e. not from Panorama.
If this is requirment, then there is one merged config file available on gateway which includes both Panorama managed & local config. You can take this xml file and import it to test instance. Merged xml file is also included under tech-support file.
Just keep test VM on the same PANOS version as that of prod.
Hope it helps!
Unfortunately versions and models are different so partial import is problematic to say the least.
In the end I have made the effort to learn Python and have written this code for the importing of objects via CSV. Currently this code only accounts for Objects, and in a limited capacity. I plan to keep working on this code and improve it but for now its at least saving me a lot of time.
The next thing I will be adding is Network & Policy importing, currently Policies require zones at the very least and NAT rules require network interfaces configured and zones to be able to import them from another working device of course. Due to the higher complexity of the network aspect (and that I am a Python noob - 2nd week of using Python) it might take me a week or two to finish that code.
So yeah anyone who might find this post and needs to do a similar thing, feel free to check out that repo, use it and build off it, ultimately though if you can offer any pointers or make it better please let me know!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!