This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About dmaravanki
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About dmaravanki
08-23-2020
5Posts
0Likes
0Solutions
Aug 23, 2020Last Visited
User
Activity
User
Profile
Latest posts by dmaravanki
| Subject | Views | Posted |
|---|---|---|
| 2187 | 10-18-2018 04:40 PM |
User Badges
Community Statistics
| Member Since | 06-16-2017 06:29 AM |
| Date Last Visited | 08-23-2020 08:42 PM |
| Posts | 5 |
10-18-2018
04:40 PM
I'm looking for the developers of Expedition to have a look to a case opened from one of our biggest partners in APAC (Telstra). They had to roll back a customer migration a few days ago due to a couple of rules missing URL category lost through the use of the Migration Tool.
In the process of importing, two rules failed to include a destination URL category that resulted in problems with the migrated policy, but only those two rules. Other rules imported and exported successfully, and they can reproduce the problem on my Expedition VM.
The original rule:
Rule
Source
Dest
User
App
Destination URL category
Profiles
1 - allow online storage users access to the cloud
Trust
Untrust
Group: online-storage
Web-browsing
SSL
Sharefile
Dropbox
Accellion
etc
online-storage-and-backup
URL Filtering:
Allow: online-storage-and-backup
Block: everything else
Was missing the dest URL category in Expedition, the exported XML and new Device Group once imported into Panorama:
Rule
Source
Dest
User
App
Destination URL category
Profiles
1 - allow online storage users access to the cloud
Trust
Untrust
Group: online-storage
Web-browsing
SSL
Sharefile
Dropbox
Accellion
etc
Any
URL Filtering:
Allow: online-storage-and-backup
Block: everything else
This resulted in almost all SSL and web-browsing traffic matching the erroneous rule and being blocked. To fix this they ran an audit against the pre-migrated policy and remediated one more rule, the remaining rules seemed to be OK. There were no errors in the Expedition logs indicating an import issue, but it does raise a concern that other policy elements failed to import.
They can repeat the issue on demand and would call it a bug, so it should probably be raised with the Expedition dev team.
They believe the issue may lie with a static content and app db in Expedition, and either the tool needs to be able to update content revisions or use what is available in the base config XML.
They noticed Expedition gives you the option to import apps and URL categories from a target device via the API, but this may not always be possible (e.g. running Expedition off-site).
I'm aware of developers were talking to Telstra recently, so it might be a good opportunity to do the same.
Thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-23-2020
08:42 PM
|
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks