How to Import Palo Alto Networks Firewall Configurations into Panorama
This document describes how to manually import the policies of an existing Palo Alto Networks firewall into Panorama. Addresses, address groups, services and policies will be imported so the same policies can be applied to other firewalls that are managed by Panorama.
- You have a PAN firewall that has a configuration on it.
- An instance of Panorama is up and running with the same version of PAN-OS (or higher).
- You have Web and CLI administrator access to both the firewall and Panorama.
- You will need a device group on Panorama. The policies will be imported into this device group. If you do not already have a device group created for this purpose, use the Panorama GUI to create one. There is no need to assign any devices to this group at the moment. Here is an example group:
If you created a new group, commit the change in Panorama.
- SSH to the firewall whose configuration is to be imported. Once in the firewall, configure the CLI to present its output in set format by issuing the command:
set cli config-output-format set
Then go to into configuration mode. Here is an example:
- When converting an existing firewall configuration via the set commands into Panorama, you are going to need to address different parts of the configuration in order. The following are converted one at a time. As of PAN-OS 3.1.7, the order follows the flow shown below.
Item CLI Command Address show address Address Groups show address-group Services show service Service Groups show service-group Log Settings show shared log settings Server Profile show shared server-profile Application show application Application Filters show application-filter Application Groups show application-group Application Override show rulebase application-override Security Profiles show profiles Security Rules show rulebase security rules
Importing Address Objects
Show, convert, and import address objects from the firewall into Panorama.
- On the firewall, issue the command: show address
to display all address objects. Your output should look similar to this:
- Copy all of the addresses set commands to a text file.
- Once your addresses are in a text file, we will perform a search and change set address to set shared address.
Once you have replaced all instances of this, your set objects from the firewall should look like:
- SSH to the target Panorama server. To be able to enter multiple commands at one time, you will need to turn on scripting-mode in Panorama. Set the CLI to scripting-mode, and enter config mode:
set cli scripting-mode on
- Copy the modified set commands from the text file and paste them at the Panorama command prompt:
Make sure you do not see “invalid syntax” errors. If you cannot paste multiple lines at a time, you may need to experiment with different ssh programs/different operating systems.
Note: In scripting-mode, auto-complete is not enabled. Thus if you need to check the syntax of a command, you will need to disable scripting mode, test the command, then re-enable scripting mode.
- In the Panorama GUI, go to the Objects tab > Addresses screen, and confirm you can see the imported addresses there. Make sure all your address objects were imported.
Importing Address Groups, Services, etc.
- Conversion of other components is performed in the same way. Examine the second column below. Execute each command on the firewall, copy the output to your text file, edit your text file, then copy those new commands into Panorama.
Note: When doing this make sure whatever editor you are cutting and pasting into does not mistakenly cut command lines where they were wrapped in the console. If you get invalid syntax warnings, check your input to see if there were any set commands which were chopped during the copying process.
Policy Component Show Command Search Text Replace Text Show command Search Text Replace Text Address show address set address set shared address Address Groups show address-group set address-group set shared address-group Services show service set service set shared service Service Groups show service-group set service-group set shared service-group Log Settings show shared log-settings N/A N/A Server Profile show shared server-profile N/A N/A Application show application set application set shared application Application Filters show application-filter set application-filter set shared application-filter Application Groups show application-group set application-group set shared application-group Application Override show rulebase application-override set rulebase application-override set device-group <device group> pre-rulebase application-override
STOP once you get to the copying of the security rulebase into Panorama.
Importing the Security Rulebase
- Before importing the security policies, you need to disable logging to Panorama. On the firewall, either modify your log forwarding profile to remove Panorama, or edit each security policy and set the log forwarding profile to none:
- If you just modified your firewall configuration, commit your changes.
- On the firewall, issue the command:
show rulebase security rules
Copy and paste all of the security rules to a text document. Review the commands to make sure there are no incorrect carriage returns -- those will cause you to import invalid data and possibly create erroneous rules.
- In the text file, do a search and replace, making sure to use your device group name from step 1:
- SEARCH: set rulebase security rules
- REPLACE: set device-group <device group name> pre-rulebase security rules
Note: The above replace string assumes that you want to import the policies into your security pre-rulebase.
- Cut and paste these rules into the Panorama CLI. Initially, cut and paste the very first command, then cut and paste all commands associated with the first rule. This way you can monitor for errors. Once you have a few commands successfully entered, enter the commands in bulk. Once you enter all the commands successfully, you should be able to see your policies in the pre-rulebase for your particular device group.
- PAN-OS 5.x: Network and device templates were introduced for Panorama in PAN-OS 5.0. In order to import the firewall config into Panorama, please make sure that the Templates are configured in advance with the respective devices added into each template with their configurations (multi-vsys, operational-mode, vpn-disable-mode) in place.
For example, to import an interface config run the command: show network interface. Search for set network and replace it with set template (name of the template) config. Conversion for some of the main components are shown below:
Component Show Command Search Text Replace Text Network #show network interface #set network #set template (template name) config network Device config #show deviceconfig #set deviceconfig #set template (template name) config deviceconfig
- To turn off scripting mode:
set cli scripting-mode off
- Commit this config in Panorama.
At this point, the firewall policies have been imported and additional firewalls can be added to this device group. Also, these pre-rules can be applied to the newly added firewalls.