04-20-2023 02:12 PM
I know that when you migrate a firewall into Panorama and you keep the Import device's shared objects into Panorama's shared context box checked, this imports the firewall's objects as shared objects, unless there are duplicates. I'm wondering--how does Panorama identify any duplicates? Is it by the name of the object or other characteristics (such as the IP address itself)?
For example: If I have an Address Object on one firewall called "Server-DNS" with IP 8.8.8.8 and an Address Object on a different firewall called "DNS-Server" with the same IP 8.8.8.8, will it identify that as a duplicate? I'm assuming not, since you are able to have multiple Address Objects with the same IP, but would like to verify.
Thanks!
04-21-2023 02:40 PM
Hi @MDroyKT ,
I have imported multiple NGFW configs into Panorama, and the duplicates are always removed. I never thought about the specifics until now. Here is a doc that explains the process -> https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall.... Look under the section "Plan how to manage shared settings." The rules are as follows:
I would love to hear what you find if you import objects with duplicate names and/or values.
Thanks,
Tom
04-21-2023 02:40 PM
Hi @MDroyKT ,
I have imported multiple NGFW configs into Panorama, and the duplicates are always removed. I never thought about the specifics until now. Here is a doc that explains the process -> https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall.... Look under the section "Plan how to manage shared settings." The rules are as follows:
I would love to hear what you find if you import objects with duplicate names and/or values.
Thanks,
Tom
04-24-2023 12:17 PM
Thank you, Tom! It will likely be a few months at least before I get all our firewalls migrated (still in the planning phase for the first firewall migration) but I will make a note to comment back here on it once I do.
Thanks,
Michelle
07-11-2023 01:13 AM
for the mentioned example:
1) different object name but same value: "Server-DNS" with IP 8.8.8.8 and "DNS-Server" also with IP 8.8.8.8
there is nothing available directly on PAN-OS Firewall or Panorama; until now also not on the Strata Cloud Manager.
For all the mentioned Palo Alto Networks products you can use PAN-OS-PHP framework with predefined utilities to find and merge e.g. duplicate address objects by value.
The tool is also checking and correcting all places where the planned merged object is used and is replacing it with the object which will be kept.
https://github.com/PaloAltoNetworks/pan-os-php
also available as Docker Container:
docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:latest
more information about the specific address-merger utility:
https://github.com/PaloAltoNetworks/pan-os-php/wiki/type=address-merger
more predefined merger scripts available for:
- rule
- address-group
- service
- service-group
- tag
- custom-url-category
07-11-2023 05:55 AM
Thank you @swaschkut for the cool tool!
Expedition is also able to clean up the config via the API.
08-30-2023 02:15 AM
Panorama configurations with big config file size are hard to optimise.
Based on the feedback of Palo Alto Networks Professional Services engineers, you need to focus on which tool can be used,
to be successfully in a timely manner.
PAN-OS-PHP has an additional feature by optimise your configuration and based on the changes it is possible to provide "set commands",
which can be directly pasted into the Panorama / Firewall CLI.
This feature is needed for customers where a ChangeRequest must be up-front documented well with detailed change commands,
and of course where NO direct PAN-OS XML API access is possible.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
