Total Objects and Device Groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Total Objects and Device Groups

L1 Bithead

Hello! I want to start this off for apologizing if i do anything wrong here or miss any processes as this is my first post.

 

I had the question for the community to see if anyone has ever ran into something like this, or what my best course of action would be.

 

We started migrating our environment off of the PA-500's to PA-220's (in the effort to keep cost down in very small sites that we have), but one thing that we didn't expect to run into is hitting the object limit of only 2500 objects.

 

So the steps we have taken so far are to create two device groups, one for the larger devices in our environment and one for the smaller...but now we have the task of converting the objects that aren't in use on the smaller devices to the larger device group, and also out of our shared group.

 

Does anyone know of a quicker or more efficient way to handle this instead of having to manually go through each object, do a global find, and create a new object and rule while deleting the old one.

 

Any help in the right direction would be greatly apprecaited.

 

Thank you!

-Matt

11 REPLIES 11

L1 Bithead

Export the objects via CLI to text, you can use that to create a script to create or remove them on whichever host you like.

L7 Applicator

Hi @mjanik01 

 

In panorama there is an option called "Share unused address and service objects with devices". If you disable this option panorama pushes only the required objects to the firewalls.

--> https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/manage-firewalls/manage-device-groups/...

(This requires that you also manage the policies in panorama and not only the objects because only this way panorama is able to know whitch objects need to be pushed)

@Remo,

 

Does disabling this option remove the unused objects from the devices?

Hello,

 

Part of the problem is we still have local policies on our firewalls (we are currently in the process of trying to clean that up, migrating everything into panorama but there ARE still objects used in local policies.

@cenectro,

Disabling that option removes the unused objects from the firewall and will stop sharing the objects that aren't used in policies with the device. 

@mjanik01,

For the local objects, the firewall won't allow you to remove an address object if you attempt to delete it if it's still being used in policy. So you could actually attempt to mass delete any object that is on the firewall and as long as it doesn't throw an error it shouldn't be utilized in policy at all.

The only time I've seen this cause any issues is if you have a dested address-group as a member of an address-group. The firewall at that point isn't smart enough to realize that it's an in-use address object. 

 

That works only if we're deleting from the local firewalls, but we're trying to delete panorama objects and its impossible to tell if they're used locally on the firewalls, unless we go through each of the objects manually on the local devices (which we're trying to avoid).

 

That was the original thing we attempted, but we were running into SO many objects still used on the local devices, that it just wasn't feasable anymore.

@mjanik01,

Got it. I assumed that the local objects would only be used in local policy on the firewalls themselves. If you've mixed Panorama objects with local policies things get much more complicated.

 

A faster way of doing this would be to dump the XML configuration files and dumping the Panorama objects. This would give you a list of searchable objects at least, instead of having to be logged into every single device. 

L7 Applicator

@cenectro 

Script it!

 

Foreach $object in $panoramaobjects {

     Foreach $firewall in $firewalls {

          If ($object is in use) {

               Write-to-log ($object is used on $firewall)

          }

     }

}

Hello,

 

Forgive my ignorance here (as i'm no programmer or anything by any means),

 

but trying to follow that logic in what you put below, i feel thats the opposite of what we want. we want to know which objects are NOT in use, by both panorama and the local firewalls themselves (which is the part of this thats a giant pain).

 

Thank you!

L7 Applicator

@mjanik01 

Yo're right. It should be more like this pseudocode:

Foreach $object in $panoramaobjects {

     Foreach $firewall in $firewalls {

          If ($object is not in use)

               Delete-fw-object($object,$firewall)

               Delete-panlrama-object($object,$panorama)

          }

     }

}

  • 8736 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!