01-25-2023 11:19 PM
Clone or move FW Local Policies to Device Groups
Hello good afternoon, as always, thanks for the collaboration, time and good vibes.
I have the following question.
Due to bad practices some admins have made changes and added local policies.
The Firewall in HA has its device-groups where there are a large number of policies, ie most, almost 90% are via device groups, but there are 10% that created them locally.
So is there a way to take those local policies, clone them, move them, etc ?
So that you don't have to create them manually?
Thanks, I remain attentive
Best regards
01-29-2023 02:50 PM
Hi @Metgatz ,
Unfortunately as far as I know Panorama does not have any mechanism to get local policy rules and update the device group. But there is "hacky" way to do it.
In my humble opinion - if the rules are not many, just do it in the dummy manual way:
- Connect to FW with CLI
- Set configuration view to set mode -> set cli config-output-format set
> set cli config-output-format set- Enter config mode and show security policy. Note this way show command will show only the local configured rules
> configure
# show rulebase security rules- Copy everything from here to text file
- Panorama cannot push rules with rulename already exist. So you need to add some prefix/suffix to the rulenames in the text file
- Connect to Panorama with CLI, climb the config three to the device group you want to update and paste the rules from the text file
> configure
# edit device-group XXXX pre-rulebase security
//(optional, but recommended)
# run set cli scripting-mode on
<paste rules from text file>
# run set cli scripting-mode off- Move the rules at desired location in GUI (you can do it over CLI, but I for me this action is easier in the GUI). Note that we created the rules in the pre-rules sections, the purpose is for the new rules to shadow the local rules so the traffic can start matching those instead of the local.
- Once you confirm all traffic is matching the Panorama pushed rules, delete the local configured one
- (Optional) remove the prefix/suffix that you add to the rulenames as it is no longer required (local rules are gone)
You need to do this for any address, service, group and any other object that is created locally and used by this rules.
I prefer this method, because I am sure no import will mess my Panorama config, or it will affect the rest of the rules. The problem is that it doesn't scale well if you have too many object, services, security profiles and rules to import.
Here comes the "hacky" way - https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g0000008UIP&refURL=http%3A%2F%2Fk...
In summary:
- You convert all firewall to local. This will merge panorama pushed config with the local and import it to the local config file
- You remove firewall from existing device-group and template (guide tells you to remove FW completely, but I don't think is necessary, just de-associate it with any device-group and template in order to import device config)
- Import device config to Panorama. This will create new templates and device-group and associate the FW with them
- Export device config to the firewall, which will "convert" the whole config from local to Panorama pushed"
- Push config to firewall to have green light for config sync.
- Once you happy with the result, you can delete the old device-group and templates and rename those that are associated with the FW,
01-29-2023 07:07 PM - edited 01-29-2023 07:07 PM
Hi @Metgatz ,
I bet "load config partial" will do the trick. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/load-configurations/...
Export the config from the NGFW. Import to Panorama, but do not load. Run "load config partial" from the CLI of Panorama:
I've done load config partial a few times, but I can't remember if I moved from local to device group.
You could also use Expedition if (1) it was already (2) or you wanted to - set it up.
Thanks,
Tom
01-30-2023 06:45 PM
Hello @TomYoung @aleksandar.astardzhiev
Thanks to both of you for the tips, I will check them out and try, they are good approaches.
Now have any of you in PANORAMA done an import of a backup and then a.:
Load Named Configuration - Select Device Groups & Template ?
Has anyone had the experience of loading, from the GUI, selecting only one particular Device Groups example, so as not to alter anything else in Panorama at all?
Thanks, I remain attentive
Best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
