12-12-2011 08:39 AM
Hello,
I have 3 PA-500 that are running as stand alone devices. I've purchased Panorama as I am planning to add more devices. Currently my 3 PA-500 have about 150 objects that I would like to import to Panorama as shared objects so I can make 1 change that will replicate everywhere.
What is the best way to:
Thank you for your hints, I didn't find any existing doc about this problem.
12-12-2011 08:49 AM
Hi E,
The document attached to the KnowledgeBase article entitled "Conversion of Device Rulebase to Panorama Rulebase" -
https://live.paloaltonetworks.com/docs/DOC-1545 - should help you with the conversion. One issue you may run into is that because the object names are the same, you may get errors when pushing the configuration or commiting to the local box. What version of code are you running?
Thanks
James
12-12-2011 08:51 AM
Thank you for the quick answer.
4.1.1 everywhere.
12-12-2011 08:55 AM
E,
That version will help as the Panorama push results are more verbose.
Give this a try and let us know if you get any errors when doing a commit all.
Another thing to keep in mind is once the objects are shared they will need to be removed from the local device.
Thanks
James
12-12-2011 08:59 AM
This is true and this is what I fear in fact :
To remove an object from local database I need to remove it from any rule that uses it. To push any shared object (that has duplicate name) to local box, I need to delete local object.
So step 1 would be to delete objects from local rules ... I don't see how to overcome this problem.
Kind of errors I get all time: address -> EXT-NET-Postini 'EXT-NET-Postini' is already in use
12-12-2011 09:03 AM
E,
You can save the deleting until after migrating the objects and rules to Panorama and just before doing the commit all using the merge with Candidate config option.
If you are not looking to push your rulebase from Panorama, you could rename all of you common objects locally or in Panorama and then switch to the Panorama objects after you have completed a commit all.
James
12-12-2011 09:14 AM
In fact I've found a strange/suspicious way to get this done:
I clone objects in Panorama but appends '-clone' at the end of each object. Once I commit Panorama to all device-groups, all locale rules are updated with '-clone' shared objects instead of local ones !!!
So basically it means that if you create a shared object with same IP address than a local object, then local object is replaced by Shared one in all rules. While it's practical for me, it could be dangerous/problematic for some users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
