How are duplicate shared objects identified in Panorama?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How are duplicate shared objects identified in Panorama?

L2 Linker

I know that when you migrate a firewall into Panorama and you keep the Import device's shared objects into Panorama's shared context box checked, this imports the firewall's objects as shared objects, unless there are duplicates. I'm wondering--how does Panorama identify any duplicates? Is it by the name of the object or other characteristics (such as the IP address itself)?

 

For example: If I have an Address Object on one firewall called "Server-DNS" with IP 8.8.8.8 and an Address Object on a different firewall called "DNS-Server" with the same IP 8.8.8.8, will it identify that as a duplicate? I'm assuming not, since you are able to have multiple Address Objects with the same IP, but would like to verify.

 

Thanks!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @MDroyKT ,

 

I have imported multiple NGFW configs into Panorama, and the duplicates are always removed.  I never thought about the specifics until now.  Here is a doc that explains the process -> https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall....  Look under the section "Plan how to manage shared settings."  The rules are as follows:

 

  1. If the name and value are the same, it is not imported.
  2. If the name or value differs (assuming one name or value is the same?), the object is imported into the device group and not Shared.
  3. If the object references a shared object or template on the NGFW, it is imported into Shared even if you didn't check the box.

I would love to hear what you find if you import objects with duplicate names and/or values.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @MDroyKT ,

 

I have imported multiple NGFW configs into Panorama, and the duplicates are always removed.  I never thought about the specifics until now.  Here is a doc that explains the process -> https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/transition-a-firewall....  Look under the section "Plan how to manage shared settings."  The rules are as follows:

 

  1. If the name and value are the same, it is not imported.
  2. If the name or value differs (assuming one name or value is the same?), the object is imported into the device group and not Shared.
  3. If the object references a shared object or template on the NGFW, it is imported into Shared even if you didn't check the box.

I would love to hear what you find if you import objects with duplicate names and/or values.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thank you, Tom! It will likely be a few months at least before I get all our firewalls migrated (still in the planning phase for the first firewall migration) but I will make a note to comment back here on it once I do.

 

Thanks,

Michelle

for the mentioned example:

1) different object name but same value: "Server-DNS" with IP 8.8.8.8 and "DNS-Server" also with IP 8.8.8.8

there is nothing available directly on PAN-OS Firewall or Panorama; until now also not on the Strata Cloud Manager.

For all the mentioned Palo Alto Networks products you can use PAN-OS-PHP framework with predefined utilities to find and merge e.g. duplicate address objects by value.

The tool is also checking and correcting all places where the planned merged object is used and is replacing it with the object which will be kept.
https://github.com/PaloAltoNetworks/pan-os-php

also available as Docker Container:

docker run  --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:latest


more information about the specific address-merger utility:
https://github.com/PaloAltoNetworks/pan-os-php/wiki/type=address-merger

more predefined merger scripts available for:
- rule
- address-group
- service
- service-group
- tag
- custom-url-category



Cyber Elite
Cyber Elite

Thank you @swaschkut for the cool tool!

 

Expedition is also able to clean up the config via the API.

Help the community: Like helpful comments and mark solutions.

L3 Networker

Panorama configurations with big config file size are hard to optimise.
Based on the feedback of Palo Alto Networks Professional Services engineers, you need to focus on which tool can be used,
to be successfully in a timely manner.


PAN-OS-PHP has an additional feature by optimise your configuration and based on the changes it is possible to provide "set commands", 
which can be directly pasted into the Panorama / Firewall CLI.

This feature is needed for customers where a ChangeRequest must be up-front documented well with detailed change commands,
and of course where NO direct PAN-OS XML API access is possible.

  • 1 accepted solution
  • 2672 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!