Palo Alto Networks Knowledgebase: How to Import Palo Alto Networks Firewall Configurations into Panorama

How to Import Palo Alto Networks Firewall Configurations into Panorama

10755
Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:05 AM
Cortex Data Lake Panorama
Resolution

Overview

This document describes how to manually import the policies of an existing Palo Alto Networks firewall into Panorama.  Addresses, address groups, services and policies will be imported so the same policies can be applied to other firewalls that are managed by Panorama.

Assumptions

  • You have a PAN firewall that has a configuration on it.
  • An instance of Panorama is up and running with the same version of PAN-OS (or higher).
  • You have Web and CLI administrator access to both the firewall and Panorama.

Steps

  1. You will need a device group on Panorama. The policies will be imported into this device group. If you do not already have a device group created for this purpose, use the Panorama GUI to create one.  There is no need to assign any devices to this group at the moment. Here is an example group:

    1.png

    If you created a new group, commit the change in Panorama.

  2. SSH to the firewall whose configuration is to be imported. Once in the firewall, configure the CLI to present its output in set format by issuing the command:

    set cli config-output-format set

    Then go to into configuration mode.  Here is an example:

    2.png

  3. When converting an existing firewall configuration via the set commands into Panorama, you are going to need to address different parts of the configuration in order.  The following are converted one at a time.  As of PAN-OS 3.1.7, the order follows the flow shown below.
    ItemCLI Command
    Addressshow address
    Address Groupsshow address-group
    Servicesshow service
    Service Groupsshow service-group
    Log Settingsshow shared log settings
    Server Profileshow shared server-profile
    Applicationshow application
    Application Filtersshow application-filter
    Application Groupsshow application-group
    Application Overrideshow rulebase application-override
    Security Profilesshow profiles
    Security Rulesshow rulebase security rules


    Importing Address Objects
    Show, convert, and import address objects from the firewall into Panorama.

  4. On the firewall, issue the command: show address

    to display all address objects.  Your output should look similar to this:

    3.png

  5. Copy all of the addresses set commands to a text file.
  6. Once your addresses are in a text file, we will perform a search and change set address to set shared address.

    4.png

    Once you have replaced all instances of this, your set objects from the firewall should look like:

    5.png

  7. SSH to the target Panorama server.  To be able to enter multiple commands at one time, you will need to turn on scripting-mode in Panorama. Set the CLI to scripting-mode, and enter config mode:

    set cli scripting-mode on

    configure

    6.png

  8. Copy the modified set commands from the text file and paste them at the Panorama command prompt:

    7.png

    Make sure you do not see “invalid syntax” errors.  If you cannot paste multiple lines at a time, you may need to experiment with different ssh programs/different operating systems.


    Note: In scripting-mode, auto-complete is not enabled. Thus if you need to check the syntax of a command, you will need to disable scripting mode, test the command, then re-enable scripting mode.

  9. In the Panorama GUI, go to the Objects tab > Addresses screen, and confirm you can see the imported addresses there.  Make sure all your address objects were imported.


    Importing Address Groups, Services, etc.

  10. Conversion of other components is performed in the same way.  Examine the second column below. Execute each command on the firewall, copy the output to your text file, edit your text file, then copy those new commands into Panorama.


    Note: When doing this make sure whatever editor you are cutting and pasting into does not mistakenly cut command lines where they were wrapped in the console.  If you get invalid syntax warnings, check your input to see if there were any set commands which were chopped during the copying process.

    Policy ComponentShow CommandSearch TextReplace Text
    Show commandSearch TextReplace Text
    Addressshow addressset addressset shared address
    Address Groupsshow address-groupset address-groupset shared address-group
    Servicesshow serviceset serviceset shared service
    Service Groupsshow service-groupset service-groupset shared service-group
    Log Settingsshow shared log-settingsN/AN/A
    Server Profileshow shared server-profileN/AN/A
    Applicationshow applicationset applicationset shared application
    Application Filtersshow application-filterset application-filterset shared application-filter
    Application Groupsshow application-groupset application-groupset shared application-group
    Application Overrideshow rulebase application-overrideset rulebase application-overrideset device-group <device group> pre-rulebase application-override


    STOP once you get to the copying of the security rulebase into Panorama.

    Importing the Security Rulebase


  11. Before importing the security policies, you need to disable logging to Panorama. On the firewall, either modify your log forwarding profile to remove Panorama, or edit each security policy and set the log forwarding profile to none:

    8.png

  12. If you just modified your firewall configuration, commit your changes.
  13. On the firewall, issue the command:

    show rulebase security rules

    Copy and paste all of the security rules to a text document.  Review the commands to make sure there are no incorrect carriage returns -- those will cause you to import invalid data and possibly create erroneous rules.

  14. In the text file, do a search and replace, making sure to use your device group name from step 1:
    • SEARCH: set rulebase security rules
    • REPLACE: set device-group <device group name> pre-rulebase security rules
      Note: The above replace string assumes that you want to import the policies into your security pre-rulebase.
  15. Cut and paste these rules into the Panorama CLI. Initially, cut and paste the very first command, then cut and paste all commands associated with the first rule. This way you can monitor for errors. Once you have a few commands successfully entered, enter the commands in bulk. Once you enter all the commands successfully, you should be able to see your policies in the pre-rulebase for your particular device group.
  16. PAN-OS 5.x: Network and device templates were introduced for Panorama in PAN-OS 5.0. In order to import the firewall config into Panorama, please make sure that the Templates are configured in advance with the respective devices added into each template with their configurations (multi-vsys, operational-mode, vpn-disable-mode) in place.
    For example, to import an interface config run the command: show network interface. Search for set network and replace it with set template (name of the template) config. Conversion for some of the main components are shown below:
    ComponentShow CommandSearch TextReplace Text
    Network#show network interface#set network#set template (template name) config network
    Device config#show deviceconfig#set deviceconfig#set template (template name) config deviceconfig
  17. To turn off scripting mode:
    set cli scripting-mode off
  18. Commit this config in Panorama.


At this point, the firewall policies have been imported and additional firewalls can be added to this device group. Also, these pre-rules can be applied to the newly added firewalls.

owner: gmaxwell



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clf2CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language