Hello PANgurus, good evening, as always, thanks for the collaboration, the good vibes and the good vibes.
I tell you that I have the following scenario/situation:
Panorama- Device Groups - HA Firewalls - Policies on Device Groups, Any/Any Allow - Local Policies.
The issue is as follows, for some reason in a FW (HA) certain admins added local policies and another more relevant and conflictive point, an any/any/allow policy was created (I know the worst practice in life) to not notice the time to correctly generate the policies based on the real flows and they solved everything an "allow/any/any".
We have (I have...) the following important situation, there is a huge number of flows of this any/allow policy, of traffic, approximately 4,000 flows, that is, unique traffic, Source Zone, Source IP, Destination Zone, Destination IP, Destination Port/Service. Absolutely "unique" nothing repeated, after working to eliminate duplicates, polish excel, etc. This is based on reports and traffic logs, from the FW against that any/any allow policy, based on a 7-day flow.
Now I have a detail of 4000 flows in an excel/csv... which now the big question is, how could I automate and make it handle more efficiently, quickly and correctly, adding these policies automatically, but, but, but... The big but, is that these policies must be added to an already existing Device Groups... What do you recommend to do... what strategy would you take, first, to import the policies, based on excel/cvs and second, to add these policies, based on the flow of 4,000 unique records, pass them to a Panorama Device Groups in Production, only altering that Device Groups, no other ?
This is the idea without altering anything from Panorama, no other Device Groups, but the Only Device Groups where I must make these changes? Where I was thinking of doing this, or where I want to turn it around to solve this, an example I was thinking of how to do it:
----Import the flows with Expedition against the PANORAMA config, against the Device Group in particular, export it from Expedition and then upload it to PANORAMA PRODUCTION. Now the big question, I can import a file, for example the XML to load it in PANORAMA, but only, only load the config of a Device Group.
I see that in PANORAMA-Setup-Operations-Load_Named Configuration-Select Device Groups & Template ( also load Shared Objects - Load Shared Policies - Regenerate Rule UUIDs ... Retain Rule UUIDs ). Someone has had to do this ... and has lived to tell the tale hehehe everything commenting earlier in the post but also using Load Named Config --- Select Device Groups & Template and only loading the config of a particular Device Groups and not toggle absolutely nothing, but nothing swim from the rest of the configs ?-----
Thank you in advance for the time, for the collaboration, for the possible advice, comments, good vibes, understanding, etc.
Thanks, I'll stay tuned
Best regards
if you are able to leverage expedition to actually get a usable config snippet, the best next move would be to load that config into panorama and then do a 'load config partial' from the cli, so you have more control where the snippet is imported to, and also the behavior of the import (append, merge, replace)