01-26-2023 12:17 AM - edited 01-30-2023 06:50 PM
Create policies from flows in file excel/csv to a Panorama particular - Device Group
Hello Live Community, good evening, as always, thanks for the collaboration, the good vibes and the good vibes.
I tell you that I have the following scenario/situation:
Panorama- Device Groups - HA Firewalls - Policies on Device Groups, Any/Any Allow - Local Policies.
The issue is as follows, for some reason in a FW (HA) certain admins added local policies and another more relevant and conflictive point, an any/any/allow policy was created (I know the worst practice in life) to not notice the time to correctly generate the policies based on the real flows and they solved everything an "allow/any/any".
We have (I have...) the following important situation, there is a huge number of flows of this any/allow policy, of traffic, approximately 4,000 flows, that is, unique traffic, Source Zone, Source IP, Destination Zone, Destination IP, Destination Port/Service. Absolutely "unique" nothing repeated, after working to eliminate duplicates, polish excel, etc. This is based on reports and traffic logs, from the FW against that any/any allow policy, based on a 7-day flow.
Now I have a detail of 4000 flows in an excel/csv... The flows will be filtered, not everything will be allowed, but 70 or 80 %. Which now the big question is, how could I automate and make it handle more efficiently, quickly and correctly, adding these policies automatically based on the csv file, but, but, but... The big but, is that these policies must be added to an already existing Device Groups... What do you recommend to do... what strategy would you take, first, to import the policies, based on excel/cvs and second, to add these policies, based on the flow of 4,000 unique records, pass them to a Panorama Device Groups in Production, only altering that Device Groups, no other ?
This is the idea without altering anything from Panorama, no other Device Groups, but the Only Device Groups where I must make these changes? Where I was thinking of doing this, or where I want to turn it around to solve this, an example I was thinking of how to do it:
----Import the flows with Expedition against the PANORAMA config, against the Device Group in particular, export it from Expedition and then upload it to PANORAMA PRODUCTION. Now the big question, I can import a file, for example the XML to load it in PANORAMA, but only, only load the config of a Device Group.
I see that in PANORAMA-Setup-Operations-Load_Named Configuration-Select Device Groups & Template ( also load Shared Objects - Load Shared Policies - Regenerate Rule UUIDs ... Retain Rule UUIDs ). Someone has had to do this ... and has lived to tell the tale hehehe everything commenting earlier in the post but also using Load Named Config --- Select Device Groups & Template and only loading the config of a particular Device Groups and not toggle absolutely nothing, but nothing swim from the rest of the configs ?-----
-Does anyone have any recommendation, advice, point of view to solve this situation ?
Thank you in advance for the time, for the collaboration, for the possible advice, comments, good vibes, understanding, etc.
Thanks, I'll stay tuned
01-30-2023 06:49 PM
Hello @TomYoung @Astardzhiev
Hello, thanks to both of you for the usual collaboration.
Have any of you had to deal with a situation similar to this post?
-What would be your advice, to give an approach and look for the most correct and risk free procedure to do this, thinking in a critical platform.
Thank you, I remain attentive
01-30-2023 08:14 PM - edited 01-30-2023 08:28 PM
Hi @Metgatz ,
Thank you for the collaboration. I must go to bed. So, I will be quick. Another idea to think about is add Panorama as a device in Expedition. Expedition can analyze the logs and create rules. You can push the changes via API.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!