Firewall has the IPSec tunnel but Panorama don't. How to fix?

MINKU2 — Thu, 04 Apr 2024 23:24:37 GMT

Hi Guys,

We have one of the IPSec tunnel missing on Panorama but it is configured on individual Firewalls (HA pair). The tunnel is up and running. We don't want any downtime on VPN tunnel.

Can I simply add missing IPSec tunnel to Panorama and do just " Commit to Panorama"?

Or is there something else needs to be done?

Re: Firewall has the IPSec tunnel but Panorama don't. How to fix?

PavelK — Sat, 06 Apr 2024 04:27:33 GMT

Hello @MINKU2

from your post it looks like you are considering to move IPsec local Firewall configuration to Panorama managed configuration. If this is the case, then there are a few things to consider.

You will have to configure IPsec in Panorama's Template, then commit and push it to Firewall. If the IPsec configuration is identical, the local configuration will have precedence, then you will have to override it locally in Firewall to use Panorama's configuration. This will have to be committed to take an effect. During commit the configuration will be replaced that will likely cause IPsec tunnel reset. If you are concerned about down time, then migration from local to Panorama configuration on one to one bases should be performed during a maintenance window.

There might be some work arounds to make this transition without down time. For example push from Panorama IPsec configuration with unique names to prevent overriding it locally, then if you are using any routing protocol to shift traffic to new tunnel. This will required more information about your setup and more planning.

Kind Regards

Pavel

topic Firewall has the IPSec tunnel but Panorama don't. How to fix? in Panorama Discussions

Firewall has the IPSec tunnel but Panorama don't. How to fix?

Re: Firewall has the IPSec tunnel but Panorama don't. How to fix?