Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-06-2013 05:25 AM
We have a lab PA2050 that I have tweaked to exactly where I want it to be. We are now trying to add it to a lab Panorama and I would like to populate Panorama with all of the policies and objects from the lab 2050. I exported the running config to an xml and imported it to the Panorama instance and just changed the server information (IP, gateway, DNS servers, etc...) It kept spitting up errors about administration.
Without modding the xml by hand, is there an easy way to import the policies and objects from the 2050 in Panorama?
03-06-2013 07:58 AM
03-09-2013 01:45 PM
There is a program called 'panto.py' in the PAN-ksteves package
(https://live.paloaltonetworks.com/docs/DOC-3533) that can
assist with Panorama migration. It uses a panxapi program
from either PAN-perl (https://live.paloaltonetworks.com/docs/DOC-1910)
or PAN-python (https://live.paloaltonetworks.com/docs/DOC-4762)
to do the migration tasks using the XML API.
If for example you wanted to migrate address object, groups, security
and nat rulebase your input file to panto.py could be something like:
set panxapi-program panxapi.py
set panxapi-from-tag pa-2020
set panxapi-to-tag panorama
setvar CONFIG_VSYS '/config/devices/entry/vsys/entry'
setvar DEVICE_GROUP 'finance-dg'
migrate from-xpath $CONFIG_VSYS/address to-xpath-device-group $DEVICE_GROUP
migrate from-xpath $CONFIG_VSYS/address-group to-xpath-device-group $DEVICE_GROUP
migrate from-xpath $CONFIG_VSYS/rulebase/security to-xpath-device-group $DEVICE_GROUP pre-rulebase
migrate from-xpath $CONFIG_VSYS/rulebase/nat to-xpath-device-group $DEVICE_GROUP post-rulebase
and the panto.py program would create the panxapi commands to show and
delete the configuration on PAN-OS, and set the configuration on
Panorama.
03-18-2013 02:29 AM
This all is very confusing. Device to Panorama official manual is outdated, some scripts have done, but lack of documentation, so I still can't figure out how to migrate existing device config to Panorama? Seems with official set ©/paste method I can't migrate the whole config. Second option is manually copy/paste config parts from device XML to Panorama XML.
Both methods seems crazy in year 2013, when others vendors do it automatically.
So Your script sounds good. Can I migrate the whole config? But please explain more, how to export data from device and import it into Panorama. Where to add device IP, Panorama IP etc.
03-18-2013 02:42 AM
I think your best option is to contact your SE and make sure that a feature request is filed towards the HQ that the Panorama in 2013 should be able to simply just import any PA device (so the admin doesnt have to either redo all work or run all sort of scripts and read outdated docs).
03-18-2013 02:53 AM
According to the such feature request is done already a year ago.
It's actually very strange, that vendor, whose only product is firewall, is so behind with common features, that every other firewall vendor have. PaloAlto must do serious jump, as right now I feel that simple the term "next generation" doesn't ring the bell anymore.
Also others vendors have made progress. I almost regret moving from CheckPoint to PaloAlto as I miss so much common features...
03-18-2013 11:34 AM
I am really sorry to hear that ksuuk. We are constantly evaluating feature requests and although, this is an important feature, there is a work around with the script. Hopefully once you do the import, you will find that the UI is intuitive and easy to use. With that said, your feedback is important, and contacting your SE to re-enforce the request is the best way for product management to prioritize features for future release. Thank you and please know we are listening. Thank you,
~Jamie
04-18-2013 12:54 PM
This is a much needed feature.. Why? Because most people buy the firewalls first and as they buy more they see a need for Panorama. Well it is hard to use Panorama to it's fullest features when you can't import the current devices configs to the Panorama Server. It is very hard to manually put all that into Panorama especially with policies and tons of url and address objects.
12-18-2013 08:34 AM
I really, sincerely hope this feature request was implemented in Panorama 6.0.
It's ridiculous that a centralized management solution created by a firewall company isn't able to import device configs. I feel this concept should have been included on a feature requirements document that was incorporated into Panorama 1.0 honestly, not that we're still going to be waiting for it in 2014.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
