Clone or move FW Local Policies to Device Groups
Hello good afternoon, as always thanks for the collaboration, time and good vibes.
I have the following question.
Due to bad practices some admins have made changes and added local policies.
The Firewall in HA has its device-groups where there are a large number of policies, ie most, almost 90% are via device groups, but there are 10% that created them locally.
So is there a way to take those local policies, clone them, move them, etc ?
So that you don't have to create them manually?
Thanks, I remain attentive
Best regards
I can think of a few ways but none of them are as clean as i would like to recommend ;)
To import the rules you would need to first completely 'disconnect' the firewall from the templates and device groups, import it, manually merge the device groups (newly imported and previously assigned one) and then push the bundle back (too much hassle)
you can also export the device configuration, import it into panorama and do a partial copy. I have mixed feelings about letting the CLI decide how to properly import partial config sections so:
i'd probably approach this from the CLI using a trusty text editor. On the firewall
`set cli config-output-format set`
`configure`
`show | match 'security rules'
copy all the set commands and edit them in a text editor from
set rulebase security rules <rulename>
to
set device-group <devicegroupname> pre-rulebase security rules <rulename>
then run the set commands in the panorama CLI