About swaschkut

Panorama configurations with big config file size are hard to optimise. Based on the feedback of Palo Alto Networks Professional Services engineers, you need to focus on which tool can be used, to be successfully in a timely manner. PAN-OS-PHP has an additional feature by optimise your configuration and based on the changes it is possible to provide "set commands",  which can be directly pasted into the Panorama / Firewall CLI. This feature is needed for customers where a ChangeRequest must be up-front documented well with detailed change commands, and of course where NO direct PAN-OS XML API access is possible. ... View more

for the mentioned example: 1) different object name but same value: "Server-DNS" with IP 8.8.8.8 and "DNS-Server" also with IP 8.8.8.8 there is nothing available directly on PAN-OS Firewall or Panorama; until now also not on the Strata Cloud Manager. For all the mentioned Palo Alto Networks products you can use PAN-OS-PHP framework with predefined utilities to find and merge e.g. duplicate address objects by value. The tool is also checking and correcting all places where the planned merged object is used and is replacing it with the object which will be kept. https://github.com/PaloAltoNetworks/pan-os-php also available as Docker Container: docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:latest more information about the specific address-merger utility: https://github.com/PaloAltoNetworks/pan-os-php/wiki/type=address-merger more predefined merger scripts available for: - rule - address-group - service - service-group - tag - custom-url-category ... View more

If there is still a general need to migrate PANOS bi-dir-nat policy into two separate NAT policy, one for SRC one for DST, you can use PAN-OS-PHP: https://github.com/PaloAltoNetworks/pan-os-php This Framework is available also as Docker Container: docker run --name panosphp --rm -v ${PWD}:/share -it swaschkut/pan-os-php:latest the syntax to change bi-dir-nat into two NAT policy, where the migration is exactly the PAN-OS behaviour, to create the second hidden NAT rule as a configured one; please be aware, as the generated NAT rule, is exactly how PAN-OS FW behave, please adjust this NAT rule and configure specific SRC IP addresses in another config change step. offline config manipulation: pan-os-php type=rule ruletype=nat 'actions=biDirNat-Split' in=input.xml out=output.xml location={{DeviceGroup/virtual-system}} or usine PAN-OS XML API: pan-os-php type=rule ruletype=nat 'actions=biDirNat-Split' in=api://{{MGMT-IP}} location={{DeviceGroup/virtual-system}}   This functionality to handle bi-dir-nat policy and split them , is available since March 22nd 2016, and was introduced by myself in the former tool called pan-configurator: https://github.com/swaschkut/pan-configurator/commit/22472b0d5f84604474e882e111130eb71372e8c9 ... View more

As I had the same concern and I always like to by prepared, please check this helper Tool, to avoid manual changes in specific if you have a huge Panorama configuration file, with a big amount of url-filtering SecurityProfiles: https://github.com/PaloAltoNetworks/pan-os-php pan-os-php type=securityprofile in= api://MGMT-IP location=any securityProfileType=url-filtering 'filter=(allow has ransomware)' actions=url-filtering-action-set:block,ransomware My recommendation is use PAN-OS-PHP Docker Container: https://github.com/PaloAltoNetworks/pan-os-php/blob/main/READMEdocker.md#deploy-pan-os-php-with-docker ... View more

to avoid manual cleanup of your configuration, there is already an automation script available since years, to help you there: PAN-OS-PHP https://github.com/PaloAltoNetworks/pan-os-php pan-os-php type=xml-issue in= api://MGMT-IP out=output.xml of course the output.xml must be loaded back into device: pan-os-php type=upload in=output.xml out= api://MGMT-IP loadafterupload ... View more

Sorry for updating this. Please be aware that pan-configurator was stopped, but continued under a new name and repository: https://github.com/PaloAltoNetworks/pan-os-php it has the same features set from pan-configurator, but already improved and extended. ... View more

Please be aware that pan-configurator project was replaced with PAN-OS-PHP; https://live.paloaltonetworks.com/t5/api-articles/pan-os-php-scripting-library-and-utilities/ta-p/404396 https://github.com/PaloAltoNetworks/pan-os-php PAN-OS-PHP had the same but already improved and extended feature set compare to pan-configurator. regards Sven ... View more

I just saw these comments related to pan-configurator. Please be aware that I continued pan-configurator under a new name and repository: https://github.com/PaloAltoNetworks/pan-os-php It has all the same functionality from the past, but more features and improved handling. I am also working on an PAN-OS-PHP API, PAN-OS-PHP GUI in additional to the still available PAN-OS-PHP CLI. To bring in some information about to answer the problem from March 2021, where it was not possible to download Panorama configuration. This problem is related to a PAN-OS problem and was fixed in May 2021 by Palo Alto Networks, but I also introduced a work around, if I am not mistaken at this time also public in pan-configurator. For any feature request, please feel free to open an Github issue. Regards Sven ... View more

the mentioned Sonicwall migration script will be available within Expedition 2.0. Please be aware that until now no EXP config exported config is supported and also Sonicwall version is limited to <6.5 Sonicwall config export must be done this way: 1) login via SSH 2) no cli pager session 3) show current-config ... View more

yes, with exporting the candiate-config and a reimport of the same, the Panorama DB which hold the configuration is refreshed. Please be informed that this issue you are running into, is not an Expedition issue. So we from Expedition team can only give you advise how you can use the work around, so that you can continue your work. For more problem solving part please open a Palo Alto Networks Tac case related to PAN-OS API. regards Sven -------------------- Solutions Engineer - Expedition ... View more

HI John,   can you please reach out to us via: fwmigrate@paloaltonetworks.com   thanks Sven ... View more

  @ncalderon can you please explain both parts a little bit more closure: 1) what is your exact expectation? 2) do you have an explicit vendor in mind? or is this a general request? ... View more

Hi, please reach out to use via fwmigrate@paloaltonetworks.com We will find a way for secure sharing the config. regards Sven ... View more

EDIT: 20221012 as mention the tool is underdevelopment but you can of course ping me via mail and I will send you the installation instructions plus the tool itself. statement is no longer correct     regards Sven ... View more