https://live.paloaltonetworks.com/t5/panorama-discussions/deploying-already-existing-firewalls/m-p/519607#M1178 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/156979">@JaredBaglietto</a> ,</P> <P>&nbsp;</P> <P>If you are having issues with conflicting objects, you may not have done step 5 in this doc -&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS</A>.&nbsp; Exporting the Panorama config once to the NGFW <STRONG>right after you import the config</STRONG> is necessary to delete the local <EM>polices and objects</EM>.&nbsp; After you do step 5 once, you then push all configs to the devices under the Commit menu.</P> <P>&nbsp;</P> <P>If you want to overwrite the local <EM>network and device</EM> configurations with Panorama configs, you should check the box Force Template Values in step 6.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sat, 29 Oct 2022 16:38:38 GMT TomYoung 2022-10-29T16:38:38Z https://live.paloaltonetworks.com/t5/panorama-discussions/deploying-already-existing-firewalls/m-p/519599#M1177 <P>Hi all,</P> <P>&nbsp;</P> <P>I've been working with Panorama now for just over a month, learning most its concepts slowly but surely. I am now stuck however on the following:</P> <P>&nbsp;</P> <P>Before we acquired Panorama, we had several clients running PA-220s. After it was announced the 220s were reaching EoL, we replaced most with 410s and 440s. We then acquired Panorama to centralise all deployments. How I did it was to import each client's 220 configs into respective 410/440 replacements, then deploy them to client site. Then from office I would register them to our Panorama, import its config into client-respective device group and templates.</P> <P>From this point on, it has been really painful getting even one client FW to be in sync with either device group or template. I am having to rename/remove every single object/policy for example for the firewall to accept push, due to conflicting objects.</P> <P>&nbsp;</P> <P>I think lesson learnt here is that I should've pushed the configs into the firewall via Panorama instead of directly into firewall.</P> <P>&nbsp;</P> <P>My question, is there any simpler way I can push templates and groups to already deployed firewalls more easily, without having to configure them from scratch and risk removing their running configs?</P> <P>&nbsp;</P> <P>Many thanks,</P> <P>&nbsp;</P> <P>Jared</P> Sat, 29 Oct 2022 06:41:15 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/deploying-already-existing-firewalls/m-p/519599#M1177 JaredBaglietto 2022-10-29T06:41:15Z https://live.paloaltonetworks.com/t5/panorama-discussions/deploying-already-existing-firewalls/m-p/519607#M1178 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/156979">@JaredBaglietto</a> ,</P> <P>&nbsp;</P> <P>If you are having issues with conflicting objects, you may not have done step 5 in this doc -&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS</A>.&nbsp; Exporting the Panorama config once to the NGFW <STRONG>right after you import the config</STRONG> is necessary to delete the local <EM>polices and objects</EM>.&nbsp; After you do step 5 once, you then push all configs to the devices under the Commit menu.</P> <P>&nbsp;</P> <P>If you want to overwrite the local <EM>network and device</EM> configurations with Panorama configs, you should check the box Force Template Values in step 6.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sat, 29 Oct 2022 16:38:38 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/deploying-already-existing-firewalls/m-p/519607#M1178 TomYoung 2022-10-29T16:38:38Z https://live.paloaltonetworks.com/t5/panorama-discussions/deploying-already-existing-firewalls/m-p/519687#M1180 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>,</P> <P>&nbsp;</P> <P>Thank you very much for that. I've tried the steps provided and I think it's what I'm looking for. Just hitting a few hurdles.</P> <P>&nbsp;</P> <P>I have to be careful as I seem to be overwriting important network configs and policies that allow me remote access into the firewall. Accidentally kicked myself out of client firewall this past weekend and had to fix their config onsite.</P> <P>&nbsp;</P> <P>When in step 6 making changes to config, I only end up getting an error such as 'ethernet1/1 is already in use'. Any idea why this may be occurring?</P> Mon, 31 Oct 2022 15:11:04 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/deploying-already-existing-firewalls/m-p/519687#M1180 JaredBaglietto 2022-10-31T15:11:04Z