topic Re: Asking for best practice regarding editing multiple interfaces of a FW HA pair which is managed by Panorama in Panorama Discussions

Asking for best practice regarding editing multiple interfaces of a FW HA pair which is managed by Panorama

Yevgeny_Libov — Fri, 10 Mar 2023 10:41:35 GMT

Hi,

We have a FW HA pair which we want to put under Panorama's management.
However, this pair will have to undergo interfaces editing in a few weeks - putting individual interfaces in aggregate interfaces.
If there was no Panorama, I would have edited the FW settings via CLI, commited, and it would have got replicated to the other FW.

I have some experience with Panorama and FW HA management. The templates of each node would be placed under the same template stack.
When working Panorama what I want to do with the interfaces might be more challenging as the settings must be edited on the templates.

My questions are:
• Should I edit each FW template separately, commit to panorama and push to devices? I assume this would be most labor intense but the cleanest. This is very inconvenient and time consuming, of course.
• Is there a way to edit interfaces on the primary FW node, and push it to update Panorama template settings? I assume that not.
• Is it recommended in a case of HA pair to completely remove network management from Panorama?

I'm asking for a good solution.
Than you.

Re: Asking for best practice regarding editing multiple interfaces of a FW HA pair which is managed by Panorama

TomYoung — Fri, 10 Mar 2023 11:56:51 GMT

Hi @Yevgeny_Libov ,

Here is a good document on migrating a standalone HA pair to Panorama -> https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management.

There are some best practices that we can learn from it.

Should I edit each FW template separately? HA pairs should be in one template to guarantee the same config on both. You can manage IP addresses for HA connections locally as the doc says or use template variables.
Is there a way to edit interfaces on the primary FW node, and push it to update Panorama template settings? You can do this when you initially add the NGFWs to Panorama. After that, the config is the same, regardless of Panorama or local.
Is it recommended in a case of HA pair to completely remove network management from Panorama? No. HA pairs can be easily managed from Panorama.

Here are a few things to consider:

Config sync can be enabled after the pair is added to Panorama. Then local changes will be synchronized. Panorama changes are pushed to each NGFW individually and not synced.
You will need to decide:
- Will you also managed Network and Device config from Panorama? If so, don't skip the Force Template values step. Also, enable Automated Commit Recovery 1st.
- What settings will be managed locally? The management interface is an obvious example. I like managing everything else from Panorama.
- What settings will be common across other NGFWs? This will determine device group hierarchy and template stack configurations.

The Beacon free course Managing Firewalls at Scale has some excellent guidance on the last bullet.

Thanks,

Tom

Re: Asking for best practice regarding editing multiple interfaces of a FW HA pair which is managed by Panorama

Yevgeny_Libov — Fri, 10 Mar 2023 15:15:17 GMT

Hi Tom, many thanks.

I've followed the manual before and an additional manual for adding the HA pair, but haven't followed in the correct order.
I will try to follow this one step by step (and take what is necessary from the one which instructs how to use variables).

I would like to know your opinion on how to manage network settings from Panorama for an HA pair (Active-Passive). I didn't find it in your answer or the guide.

Under STEP 7, section 6: "Select the template stack for the first firewall, add the second firewall, select OK
and Commit to Panorama to add it to the same template stack as the HA peer."

This step adds both device templates under the same template stack.
However, how do I manage the network settings? When I was experimenting with this, when in Panorama I attempted to change network settings under template stack, I have had limited edit options, or it was in a Read Only state.
I had to select the FW template in order to have full edit capability, so here I wander: Should I edit each device template separately?
This doesn't make sense and I'm probably missing something.

About managing the HA from Device Groups when both FW are associated under the the device groups, this works well.

Edit: I think I partly understand what I've been missing:

"Select the template stack for the first firewall, add the second firewall, select OK and Commit to Panorama to add it to the same template stack as the HA peer."
I want to understand please: The end result of this is a single template stack with both devices added, and a single template assigned to it, which belongs to one of the devices, right?

Re: Asking for best practice regarding editing multiple interfaces of a FW HA pair which is managed by Panorama

TomYoung — Fri, 21 Apr 2023 10:51:49 GMT

Hi @Yevgeny_Libov ,

You wrote "This step adds both device templates under the same template stack." This is incorrect. The step actually adds both devices to different template stacks. Once you are done with the steps in the document, you can actually delete the device group, template, and template stack created by importing the 2nd NGFW (step 7 #2 and #5). At the end of the document, you should have both NGFWs in 1 template stack with 1 template. You do not need separate templates for each NGFW in an HA pair. Unique settings such as management IP or HA link IPs should be (1) managed locally (no config in Panorama), (2) overridden locally, or (3) use template variables. Everything else should be the same.

Correct. The device is associated with the template stack, and not the template.

Thanks,

Tom

Re: Asking for best practice regarding editing multiple interfaces of a FW HA pair which is managed by Panorama

Yevgeny_Libov — Fri, 10 Mar 2023 20:09:20 GMT

Hi Tom,

Yes, you are right. I continued researching this and editing my reply, and between my edits you made this comment.
Thank you for correcting me while I was making my mind 🙂

I will follow up the steps and add the HA to Panorama at the beginning of next week and will report on results.

Re: Asking for best practice regarding editing multiple interfaces of a FW HA pair which is managed by Panorama

Yevgeny_Libov — Mon, 13 Mar 2023 05:39:18 GMT

Works like charm. Thanks Tom.