It can be done, though Palo Alto will tell you otherwise :-). If you're still interested, here's how I did it. We installed 4 x PA-2050s which we duplicated all by hand (no HA pairs). Panorma came later. I got tired of re-doing the same stuff, it felt stupid, so I figured out a hack that works, but still involves some scheduled downtime. First, you want to figure out which device will become your point of reference (i.e. the policy that you want Panorma to use). Second, from that device, go to the management settings and do this sequence: - Save Named Configuration Snapshot - Export Named Conf. Snapshot Third, the file you just saved is the device policy/configuration in raw XML format. Keep this handy. Fourth, Login to a freshbuild of Panorma. Do the same, exporting it's XML snapshot. You'll need both, as the base formatting for each are slighly differnet and some things cannot be straight cloned (device name, IP, etc) Fifth, Go back to Panorama, and create a few dummy rules/objects (an address or two, a URL filtering "pre" rule, and a decyrption "pre" rule). The idea here is to get an understanding of the syntax changes between PAs and Pan XMLs (I have no idea why they are different, but some were when I did this (3.1.9 - > 4.1.1) Sixth, Re-Export the current Panorama XML file Seventh, Compare the dummy Panoarma rules/objects to the existing PA device's XML. Note syntax changes. Now delete the dummy rules/objects. Eight, start copying a few small sections from the device XML to the Panorma XML file's "pre-rules" section (for example, just the "addresses" section). We are doing small chunks because the process breaks easily -- if you do to much, you won't know what broke the import. Ninth, Upload the revised Panorma XML file to the Panorama box. - Import Named Conf. Snapshot - Load Named Conf Snapshot Repeat forever until done! :-), Yes, it is tedius, I spaced this out over 2-3 days to make it a little easier to digest haha! EDIT -- LOL! I just realized that I described the process to IMPORT the policy to Panorma, but not how to finish and tie it to the PA devices. To fully manage your devices using Panorama's policy, you will end up needing to schedule downtime for each unit (one at a time). Basically it boils down to this, you have to nearly nuke the PA firewall, earasing all items that appear in Panoarma's policy (it won't overwrite an existing rule/object, instead it will fail when you push it). So in my case, it involved deleting all objects, addesses, profiles, and rules. A quick way of that is also by manipulation of the device XML file. It WILL kill all traffic going through the device. Then, link the device to Panorama and push the new policy from Panorama down. DO A BACKUP BEFORE NUKING YOUR CONFIG!!!! :smileylaugh: I shouldn't have to say that but you know, someone will forget haha! It will eventually work, just don't rush the rule moves or you will spend more time re-doing it/troubleshooting what didnt take. I know have a Panorama 4.1.1 box managing 4 x 2050s on 4.1.1, works like a charm now! David. ps. I know, it's an old post that I'm replying to, but PA's support will just flat out say "it can't be done"... not a great answer, when this type of logic [the import process] could easily be built into Panorama. The export could be done in real-time if the PA allowed the overwriting of existing rules/objects.
... View more