Move/clone/copy from FW Local Policies to existing Device Groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Move/clone/copy from FW Local Policies to existing Device Groups

L4 Transporter

Clone or move FW Local Policies to Device Groups

 

Hello good afternoon, as always, thanks for the collaboration, time and good vibes.

 

I have the following question.

 

Due to bad practices some admins have made changes and added local policies.

 

The Firewall in HA has its device-groups where there are a large number of policies, ie most, almost 90% are via device groups, but there are 10% that created them locally.

 

So is there a way to take those local policies, clone them, move them, etc ?

 

So that you don't have to create them manually?

 

Thanks, I remain attentive

 

Best regards

High Sticker
3 REPLIES 3

Hi @Metgatz ,

Unfortunately as far as I know Panorama does not have any mechanism to get local policy rules and update the device group. But there is "hacky" way to do it.

In my humble opinion - if the rules are not many, just do it in the dummy manual way:

- Connect to FW with CLI

- Set configuration view to set mode -> set cli config-output-format set

> set cli config-output-format set

- Enter config mode and show security policy. Note this way show command will show only the local configured rules

> configure
# show rulebase security rules

- Copy everything from here to text file

- Panorama cannot push rules with rulename already exist. So you need to add some prefix/suffix to the rulenames in the text file

- Connect to Panorama with CLI, climb the config three to the device group you want to update and paste the rules from the text file

> configure
# edit device-group XXXX pre-rulebase security
//(optional, but recommended)
# run set cli scripting-mode on
<paste rules from text file>
# run set cli scripting-mode off

- Move the rules at desired location in GUI (you can do it over CLI, but I for me this action is easier in the GUI). Note that we created the rules in the pre-rules sections, the purpose is for the new rules to shadow the local rules so the traffic can start matching those instead of the local.

- Once you confirm all traffic is matching the Panorama pushed rules, delete the local configured one

- (Optional) remove the prefix/suffix that you add to the rulenames as it is no longer required (local rules are gone)

You need to do this for any address, service, group and any other object that is created locally and used by this rules.

 

I prefer this method, because I am sure no import will mess my Panorama config, or it will affect the rest of the rules. The problem is that it doesn't scale well if you have too many object, services, security profiles and rules to import.

 

Here comes the "hacky" way - https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g0000008UIP&refURL=http%3A%2F%2Fk...

In summary:
- You convert all firewall to local. This will merge panorama pushed config with the local and import it to the local config file

- You remove firewall from existing device-group and template (guide tells you to remove FW completely, but I don't think is necessary, just de-associate it with any device-group and template in order to import device config)

- Import device config to Panorama. This will create new templates and device-group and associate the FW with them

- Export device config to the firewall, which will "convert" the whole config from local to Panorama pushed"

- Push config to firewall to have green light for config sync.

- Once you happy with the result, you can delete the old device-group and templates and rename those that are associated with the FW,

 

 

Cyber Elite
Cyber Elite

Hi @Metgatz ,

 

I bet "load config partial" will do the trick.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/...

 

Export the config from the NGFW.  Import to Panorama, but do not load.  Run "load config partial" from the CLI of Panorama:

 

  1. Mode merge
  2. From NGFW file
  3. From security policy Xpath (from NGFW API browser)
  4. To running-config
  5. To device group security policy pre-rules Xpath (from Panorama API browser).

I've done load config partial a few times, but I can't remember if I moved from local to device group.

 

You could also use Expedition if (1) it was already (2) or you wanted to - set it up.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello @TomYoung @aleksandar.astardzhiev 

 

Thanks to both of you for the tips, I will check them out and try, they are good approaches.

Now have any of you in PANORAMA done an import of a backup and then a.:

Load Named Configuration - Select Device Groups & Template ?

Has anyone had the experience of loading, from the GUI, selecting only one particular Device Groups example, so as not to alter anything else in Panorama at all?

 

Thanks, I remain attentive

 

Best regards

High Sticker
  • 1410 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!