migrate local objects to Panorama shared objects

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

migrate local objects to Panorama shared objects

L4 Transporter

Hello,

I have 3 PA-500 that are running as stand alone devices. I've purchased Panorama as I am planning to add more devices. Currently my 3 PA-500 have about 150 objects that I would like to import to Panorama as shared objects so I can make 1 change that will replicate everywhere.

What is the best way to:

  1. Copy/clone local PA-500 objects to Panorama shared object database
  2. Force local PA-500 to use shared objects instead of local ones.

Thank you for your hints, I didn't find any existing doc about this problem.

6 REPLIES 6

L4 Transporter

Hi E,

The document attached to the KnowledgeBase article entitled "Conversion of Device Rulebase to Panorama Rulebase" -

https://live.paloaltonetworks.com/docs/DOC-1545 - should help you with the conversion. One issue you may run into is that because the object names are the same, you may get errors when pushing the configuration or commiting to the local box. What version of code are you running?

Thanks

James

Thank you for the quick answer.

4.1.1 everywhere.

E,

That version will help as the Panorama push results are more verbose.

Give this a try and let us know if you get any errors when doing a commit all.

Another thing to keep in mind is once the objects are shared they will need to be removed from the local device.

Thanks
James

This is true and this is what I fear in fact :

To remove an object from local database I need to remove it from any rule that uses it. To push any shared object (that has duplicate name) to local box, I need to delete local object.

So step 1 would be to delete objects from local rules ... I don't see how to overcome this problem.

Kind of errors I get all time: address -> EXT-NET-Postini 'EXT-NET-Postini' is already in use

E,

You can save the deleting until after migrating the objects and rules to Panorama and just before doing the commit all using the merge with Candidate config option.

If you are not looking to push your rulebase from Panorama, you could rename all of you common objects locally or in Panorama and then switch to the Panorama objects after you have completed a commit all.

James

In fact I've found a strange/suspicious way to get this done:

I clone objects in Panorama but appends '-clone' at the end of each object. Once I commit Panorama to all device-groups, all locale rules are updated with '-clone' shared objects instead of local ones !!!

So basically it means that if you create a shared object with same IP address than a local object, then local object is replaced by Shared one in all rules. While it's practical for me, it could be dangerous/problematic for some users.

  • 4122 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!