Create policies from flows in file excel/csv to a Panorama particular - Device Group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Create policies from flows in file excel/csv to a Panorama particular - Device Group

L4 Transporter

Create policies from flows in file excel/csv to a Panorama particular - Device Group

 

Hello Live Community, good evening, as always, thanks for the collaboration, the good vibes and the good vibes.

 

I tell you that I have the following scenario/situation:

 

Panorama- Device Groups - HA Firewalls - Policies on Device Groups, Any/Any Allow - Local Policies.

The issue is as follows, for some reason in a FW (HA) certain admins added local policies and another more relevant and conflictive point, an any/any/allow policy was created (I know the worst practice in life) to not notice the time to correctly generate the policies based on the real flows and they solved everything an "allow/any/any".

 

We have (I have...) the following important situation, there is a huge number of flows of this any/allow policy, of traffic, approximately 4,000 flows, that is, unique traffic, Source Zone, Source IP, Destination Zone, Destination IP, Destination Port/Service. Absolutely "unique" nothing repeated, after working to eliminate duplicates, polish excel, etc. This is based on reports and traffic logs, from the FW against that any/any allow policy, based on a 7-day flow.

 

Now I have a detail of 4000 flows in an excel/csv... The flows will be filtered, not everything will be allowed, but 70 or 80 %. Which now the big question is, how could I automate and make it handle more efficiently, quickly and correctly, adding these policies automatically based on the csv file, but, but, but... The big but, is that these policies must be added to an already existing Device Groups... What do you recommend to do... what strategy would you take, first, to import the policies, based on excel/cvs and second, to add these policies, based on the flow of 4,000 unique records, pass them to a Panorama Device Groups in Production, only altering that Device Groups, no other ?

 

This is the idea without altering anything from Panorama, no other Device Groups, but the Only Device Groups where I must make these changes? Where I was thinking of doing this, or where I want to turn it around to solve this, an example I was thinking of how to do it:

 

----Import the flows with Expedition against the PANORAMA config, against the Device Group in particular, export it from Expedition and then upload it to PANORAMA PRODUCTION. Now the big question, I can import a file, for example the XML to load it in PANORAMA, but only, only load the config of a Device Group.

I see that in PANORAMA-Setup-Operations-Load_Named Configuration-Select Device Groups & Template ( also load Shared Objects - Load Shared Policies - Regenerate Rule UUIDs ... Retain Rule UUIDs ). Someone has had to do this ... and has lived to tell the tale hehehe everything commenting earlier in the post but also using Load Named Config --- Select Device Groups & Template and only loading the config of a particular Device Groups and not toggle absolutely nothing, but nothing swim from the rest of the configs ?-----

 

-Does anyone have any recommendation, advice, point of view to solve this situation ?

 

Thank you in advance for the time, for the collaboration, for the possible advice, comments, good vibes, understanding, etc.

 

Thanks, I'll stay tuned

 

Best regards

High Sticker
2 REPLIES 2

L4 Transporter

Hello @TomYoung @aleksandar.astardzhiev 

 

Hello, thanks to both of you for the usual collaboration.

 

Have any of you had to deal with a situation similar to this post?

 

-What would be your advice, to give an approach and look for the most correct and risk free procedure to do this, thinking in a critical platform.

 

Thank you, I remain attentive

 

Best regards

High Sticker

Cyber Elite
Cyber Elite

Hi @Metgatz ,

 

Thank you for the collaboration.  I must go to bed.  So, I will be quick.  Another idea to think about is add Panorama as a device in Expedition.  Expedition can analyze the logs and create rules.  You can push the changes via API.

 

https://live.paloaltonetworks.com/t5/expedition-articles/machine-learning-configuration-guide/ta-p/2...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1557 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!