- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-04-2019 09:54 AM
Hello! I want to start this off for apologizing if i do anything wrong here or miss any processes as this is my first post.
I had the question for the community to see if anyone has ever ran into something like this, or what my best course of action would be.
We started migrating our environment off of the PA-500's to PA-220's (in the effort to keep cost down in very small sites that we have), but one thing that we didn't expect to run into is hitting the object limit of only 2500 objects.
So the steps we have taken so far are to create two device groups, one for the larger devices in our environment and one for the smaller...but now we have the task of converting the objects that aren't in use on the smaller devices to the larger device group, and also out of our shared group.
Does anyone know of a quicker or more efficient way to handle this instead of having to manually go through each object, do a global find, and create a new object and rule while deleting the old one.
Any help in the right direction would be greatly apprecaited.
Thank you!
-Matt
04-06-2019 03:17 PM
Hi @mjanik01
In panorama there is an option called "Share unused address and service objects with devices". If you disable this option panorama pushes only the required objects to the firewalls.
(This requires that you also manage the policies in panorama and not only the objects because only this way panorama is able to know whitch objects need to be pushed)
04-08-2019 08:33 AM
Hello,
Part of the problem is we still have local policies on our firewalls (we are currently in the process of trying to clean that up, migrating everything into panorama but there ARE still objects used in local policies.
04-08-2019 09:01 AM
Disabling that option removes the unused objects from the firewall and will stop sharing the objects that aren't used in policies with the device.
04-08-2019 09:05 AM
For the local objects, the firewall won't allow you to remove an address object if you attempt to delete it if it's still being used in policy. So you could actually attempt to mass delete any object that is on the firewall and as long as it doesn't throw an error it shouldn't be utilized in policy at all.
The only time I've seen this cause any issues is if you have a dested address-group as a member of an address-group. The firewall at that point isn't smart enough to realize that it's an in-use address object.
04-08-2019 09:15 AM
That works only if we're deleting from the local firewalls, but we're trying to delete panorama objects and its impossible to tell if they're used locally on the firewalls, unless we go through each of the objects manually on the local devices (which we're trying to avoid).
That was the original thing we attempted, but we were running into SO many objects still used on the local devices, that it just wasn't feasable anymore.
04-08-2019 09:24 AM
Got it. I assumed that the local objects would only be used in local policy on the firewalls themselves. If you've mixed Panorama objects with local policies things get much more complicated.
A faster way of doing this would be to dump the XML configuration files and dumping the Panorama objects. This would give you a list of searchable objects at least, instead of having to be logged into every single device.
04-08-2019 10:19 AM
Script it!
Foreach $object in $panoramaobjects {
Foreach $firewall in $firewalls {
If ($object is in use) {
Write-to-log ($object is used on $firewall)
}
}
}
04-11-2019 07:08 AM
Hello,
Forgive my ignorance here (as i'm no programmer or anything by any means),
but trying to follow that logic in what you put below, i feel thats the opposite of what we want. we want to know which objects are NOT in use, by both panorama and the local firewalls themselves (which is the part of this thats a giant pain).
Thank you!
04-11-2019 10:02 AM
Yo're right. It should be more like this pseudocode:
Foreach $object in $panoramaobjects {
Foreach $firewall in $firewalls {
If ($object is not in use)
Delete-fw-object($object,$firewall)
Delete-panlrama-object($object,$panorama)
}
}
}
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!