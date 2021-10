We upgraded our Panorama from 9.1.8 to 10.0.7 over the weekend. As we attempted to commit the upgrade to the Panorama, we encountered the new requirement that Panorama 10.0.x code enforces no duplicate address objects allowed within an address group. We have over 7700 address groups defined and this was a 5 hour exercise to run the commit many, many times to find the problem address groups, remove the duplicate objects within them and then commit those changes to Panorama and run the commit again, in order to find the next one. We have built a number of the firewalls on this Panorama (converting Cisco ASA configs to PA VM-500s). We are running Expedition version 1.1.65, Spark Dependencies 0.1.3-h2 and Best Practices 3.21.3. We always run the remove duplicate objects step(s) as we prep a configuration. We then merge the addresses and address groups into our Panorama and finally merge the security policies to the appropriate device group to get the rules setup for the new firewall.

SOFTWARE ・ 5 DAYS AGO