← 返回
未分类 Key 中文

prisma-migrate

Migrate Prisma Access configurations between different SCM tenants (TSGs). Use when moving security policies, NAT rules, address objects, and other configura...
在不同的 SCM 租户(TSG)之间迁移 Prisma Access 配置,用于安全策略、NAT 规则、地址对象等配置的迁移。
leesandao leesandao 来源
未分类 clawhub v1.1.0 1 版本 100000 Key: 需要
★ 0
Stars
📥 340
下载
💾 0
安装
1
版本
#latest

概述

Prisma Access Tenant-to-Tenant Configuration Migration

Migrate configurations between Prisma Access tenants (TSGs) via the Strata Cloud Manager API.

Overview

This skill helps you export configurations from a source tenant and import them into a target tenant. It handles naming conflicts, reference resolution, and dependency ordering.

For detailed API call reference, see migration-workflow.md.

Migration Compatibility Matrix

Based on real-world migration testing, here is what can and cannot be migrated directly via SCM API:

Directly Migratable (API fully supported)

ResourceNotes
-----------------
TagsNo issues
Address ObjectsIP netmask, FQDN, IP range, IP wildcard all supported
Address GroupsStatic and dynamic; referenced addresses must exist first
Service ObjectsNo issues
Service GroupsNo issues
Application FiltersNo issues
Application GroupsNo issues
External Dynamic Lists (EDL)No issues
HIP ObjectsNo issues
HIP ProfilesNo issues
File Blocking ProfilesNo issues
Profile GroupsSupported, but referenced sub-profiles must exist first
Security Rules (most)Simple rules migrate directly
NAT RulesNo issues
Decryption Rules (most)Simple rules migrate directly

Not Directly Migratable (require manual handling)

ResourceIssueWorkaround
-----------------------------
URL Filtering ProfilesService Account returns Access deniedGrant additional API permissions, or recreate manually in SCM console
Data Filtering ProfilesService Account returns Access deniedSame as above
AI Security ProfilesService Account returns Access deniedSame as above
Custom URL CategoriesAPI returns 0 results or Access deniedRecreate manually in SCM console before migrating rules that reference them
Profile Groups with inaccessible refsReferences URL Filtering / Data Filtering / AI Security profiles that can't be exportedMigrate with invalid references stripped; add them back manually after creating the sub-profiles in the target tenant
Rules referencing missing objectsSecurity/Decryption rules fail with INVALID_REFERENCECreate the missing referenced objects first, then retry the rule
app-tagging rulesNested object arrays cause Invalid Request PayloadRecreate manually in SCM console
Cross-folder name conflictsRules with same name in All or Prisma Access folder cause UNIQUEIN_ERRORSkip — these are typically system-preset rules already present in the target

Key Lessons

  1. Dependency order is critical: Tags → Addresses → Groups → Services → File Blocking Profiles → URL/Data/AI Profiles → Profile Groups → Rules
  2. Service Account permissions are the biggest blocker: URL Filtering, Data Filtering, and AI Security profile APIs require elevated permissions that default Service Accounts may not have
  3. Conflict detection must check ALL folders: Rules exist across Shared, All, Prisma Access, Mobile Users folders — checking only Shared misses conflicts
  4. Profile Groups can be partially migrated: Strip invalid references, import the group, then manually add the missing references later
  5. System-preset objects should be skipped: Both tenants share identical predefined objects (best-practice profiles, default EDLs, default HIP objects)
  6. Fields to strip before import: id, created, last_modified, snippet, override_loc, override_type, override_id, rule_uuid, folder, policy_type, position (position goes in the query parameter instead)

Prerequisites

Set the following environment variables:

# Source tenant credentials
export SRC_SCM_CLIENT_ID="source-client-id"
export SRC_SCM_CLIENT_SECRET="source-client-secret"
export SRC_SCM_TSG_ID="source-tsg-id"

# Target tenant credentials
export DST_SCM_CLIENT_ID="target-client-id"
export DST_SCM_CLIENT_SECRET="target-client-secret"
export DST_SCM_TSG_ID="target-tsg-id"

Migration Workflow

Step 1: Export from Source Tenant

Authenticate and export all configuration objects from the source tenant via SCM API:

GET https://api.sase.paloaltonetworks.com/sse/config/v1/{resource}?folder={folder}&limit=200

Export objects in dependency order. Handle pagination with offset when total exceeds limit.

Step 2: Conflict Detection

Before importing, check the target tenant for conflicts across all folders (Shared, All, Prisma Access, Mobile Users, Remote Networks):

  • Name conflicts: objects with the same name — typically skip (system presets)
  • Reference conflicts: objects referencing things not in the target — need to create dependencies first or strip invalid references
  • Cross-folder conflicts: rules in All folder that block creation in Shared — skip these

For each conflict, present the user with options:

  • Skip: do not import (recommended for system presets)
  • Overwrite: replace the target object with the source object
  • Rename: import with a prefix/suffix (e.g., migrated- prefix)
  • Strip references: import without invalid references, fix manually later

Step 3: Transform and Import

For each object:

  1. Remove source-tenant-specific fields (id, created, last_modified, snippet, override_loc, override_type, override_id, rule_uuid)
  2. Remove folder and policy_type from the body (folder goes in query param)
  3. For rules: remove position from body (goes in query param as &position=pre or &position=post)
  4. For Profile Groups with invalid references: strip the unavailable sub-profile references
  5. POST to the target tenant API
POST https://api.sase.paloaltonetworks.com/sse/config/v1/{resource}?folder={folder}

Step 4: Validation

After import:

  1. List all imported objects and verify counts match source
  2. Check for broken references
  3. Run a candidate config push to validate (without committing)
POST https://api.sase.paloaltonetworks.com/sse/config/v1/config-versions/candidate:push

Step 5: Commit (User-Confirmed)

Only commit after user explicitly confirms:

POST https://api.sase.paloaltonetworks.com/sse/config/v1/config-versions/running:push

Usage Examples

/prisma-access:prisma-migrate

Interactive mode: prompts for source and target tenant details.

/prisma-access:prisma-migrate 1234567890 0987654321

Migrate from TSG 1234567890 to TSG 0987654321.

Safety Guardrails

  • Dry-run by default: always show what would be imported before making changes
  • No auto-commit: never commit configuration without explicit user confirmation
  • Rollback guidance: provide instructions to undo changes if needed
  • Rate limiting: respect SCM API rate limits (avoid bulk API flooding)
  • Skip system presets: automatically skip predefined objects that exist in both tenants

版本历史

共 1 个版本

  • v1.1.0 当前
    2026-05-07 10:30 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

it-ops-security

MoltGuard - Security & Antivirus & Guardrails

thomaslwang
MoltGuard — OpenClaw 安全守卫,由 OpenGuardrails 提供。安装后可防止您和您的用户受到提示注入、数据泄露及恶意行为的侵害。
★ 116 📥 31,014
it-ops-security

1password

steipete
设置和使用 1Password CLI (op)。适用于:安装 CLI、启用桌面应用集成、登录(单/多账户)、通过 op 读取/注入/运行密钥。
★ 53 📥 31,711
it-ops-security

OpenClaw Backup

alex3alex
备份与恢复 OpenClaw 数据。适用于创建备份、设置自动备份计划、从备份恢复或管理备份轮转。处理 ~/.openclaw 目录归档并包含适当的排除规则。
★ 90 📥 31,063