Panorama 9x - how to delete Child DG ObjectX if Parent ObjectX exists

Reply
Highlighted
L1 Bithead

Panorama 9x - how to delete Child DG ObjectX if Parent ObjectX exists

In Panorama 9x (specifically 9.0.6) if `Object-X` exits in both the Parent DG and a Child DG - you cannot delete the Child DG `Object-X`.  In the Child-DG, the "delete" button for that object is grayed out.  In the Parent-DG the delete button is available.  But we need to delete the more specific Child-DG object in order to only have the more global Parent-DG object.

 

In the Child DG, you can revert the Child Object-X back to using the Parent level Object.  But when you do that, `Object-X` now shows the location as Parent-DB and you no longer have access to the Child-DG Object-X - it is removed from the view.   

 

So how do you actually delete the Child-DG Object-X ? 

 

The answer is from CLI - `panorama# delete device-group DCE-vSys-Corp profiles virus Corp-Antivirus`

 

With the GUI open, you will see the Child-DG refresh itself and now show the Parent-DG Object - and the 'override' button will now be disabled because the Child-DG object no longer exists (thus nothing to override).

 

But, there are a few issues with this:

1. The biggest one: you have do delete each object one at a time.  Since you can't delete these Child-DG objects from the GUI by selecting on 10, 20, 100 at a time, you have to do them one at a time via CLI

2. The Child-DG Object MUST be over-riding the Parent-DG object.  If at the Child-DG level you `revert` to using the Parent-DG Object, than that Object does not appear in the Child-DG CLI list.  If you don't see it, you must "override" the Parent-DG object and then it should appear again at which time you can delete it.

 

OK.   So discovering this was a pain in the butt.  BBUUTT....is this the only way to delete a Child-DG Object that is duplicated at a Parent-DG level???  We have hundreds of Child-DG level objects that need to be deleted in favor of an Ancestor Object of the same name....deleting them via cli one at a time is simply not realistic.

 

 

 


Accepted Solutions
Highlighted
Cyber Elite

Hi @rolinger 

"In the Child DG, you can revert the Child Object-X back to using the Parent level Object.  But when you do that, `Object-X` now shows the location as Parent-DB and you no longer have access to the Child-DG Object-X - it is removed from the view." --> the object actually isn't only removed from the view, this step removed the object from the child-DG. So in this case should be possible to to select the objects you want to revert and then revert them.

If you need to revert hundrets/all child objects there is also the API with which you could write a small script that fetches all child objects and then delets/reverts them.

Another way with the CLI - requires a list of the objects that need to be deleted which could be also optained by showing the config on CLI - is to prepare all delete commands in a texteditor and then paste them at once in CLI.

 

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @rolinger 

"In the Child DG, you can revert the Child Object-X back to using the Parent level Object.  But when you do that, `Object-X` now shows the location as Parent-DB and you no longer have access to the Child-DG Object-X - it is removed from the view." --> the object actually isn't only removed from the view, this step removed the object from the child-DG. So in this case should be possible to to select the objects you want to revert and then revert them.

If you need to revert hundrets/all child objects there is also the API with which you could write a small script that fetches all child objects and then delets/reverts them.

Another way with the CLI - requires a list of the objects that need to be deleted which could be also optained by showing the config on CLI - is to prepare all delete commands in a texteditor and then paste them at once in CLI.

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!