topic Re: Panorama Onboarding and Managing of PAN FW's in Panorama Discussions

Panorama Onboarding and Managing of PAN FW's

NickoKristian — Sat, 07 Dec 2024 08:54:28 GMT

Hi All,

I have a few questions, but let me share first what happened.

End State Goal: Have the Panorama manage our HQ and Branch Firewalls( 5 Firewalls Involved, We have license for this)

We have tried to onboard and use panorama for management of our PAN Firewalls.

We have successfully onboarded our Active/Passive firewalls

(From Device>Managed Devices>Summary) status can be seen both as connected.

FIRST tried to import and push the running configuration of the Passive Firewall, then we experienced a down time.

Checking on the Active PA FW the configuration was stripped off(No policies can be seen).

We load our the backup config on the Active FW to recover services.

Now when I checked Panorama from Device>Managed Devices>Summary

Active FW is showing as disconnected

Passive is showing as connected.

Policies from the passive firewall is visible on the Panorama,

I have not associated the Active Firewall to the Device Group and Device Template yet.

From the GUI it is under the "not associated list"

Questions:

1. Is it a normal behavior for the configuration of the firewalls to be stripped off once they are being managed by Panorama?

2. What if in the scenario that the Panorama Suddenly reboots, does this mean that traffic for all the devices it manage will go down since there are no configurations the NGFW's?

3. Given our current status now what would be the best advisable thing to do next?:

a). Manually Failover the Traffic from Active FW to Passive FW then import the "Current Suspended" FW running configuration to the Panorama.

b). Can we just proceed on adding the Active FW to the Device Group & Device Template Created for the Passive FW.

4. Are there any documentations for onboarding/Import and Push Active/Passive Firewalls to Panorama?

Any help would be very much appreciated.

Regards

Nicko

@panorama @Panoramaortho

Re: Panorama Onboarding and Managing of PAN FW's

TomYoung — Sun, 08 Dec 2024 03:31:36 GMT

Hi @NickoKristian ,

1. Is it a normal behavior for the configuration of the firewalls to be stripped off once they are being managed by Panorama? Yes. The "Export or push device config bundle" step will delete the local policies and objects. This is needed or you will get a bunch of duplicate value errors. The Force Template Values step will delete the local Network and Device values, except management interface IP address.
What if in the scenario that the Panorama Suddenly reboots, does this mean that traffic for all the devices it manage will go down since there are no configurations the NGFW's? No. Once the Panorama configuration is pushed, it remains on the NGFW. It appears your push failed because the NGFW was disconnected from Panorama.
Given our current status now what would be the best advisable thing to do next? You need to fix the disconnect error first. You may want to failover if needed for connectivity to Panorama. https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/troubleshooting/recover-managed-device-connectivity-to-panorama
Are there any documentations for onboarding/Import and Push Active/Passive Firewalls to Panorama? https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management

Thanks,

Tom

Re: Panorama Onboarding and Managing of PAN FW's

NickoKristian — Mon, 09 Dec 2024 04:42:14 GMT

Hi @TomYoung Thanks for your inputs. Just to clarify Active/Passive firewalls are displaying as Connected, but when I export/pushed config for the passive firewall active firewalls policies was stripped off as well.

I think because we have not disabled config sync for the HA pair.

What would your approach with this if we want to have no downtime?

Currently, On Panorama Active FW is disconnected, Passive FW is connected.

1. Fix the Connection issues first, can we disassociate the Active Firewall again then continue the steps?

2. Failover the traffic to the passive firewall? Checking on the Local Firewall GUI HA dashboard all seems to be matched excluding the Configuration which is not sync.

Regards

Nicko

Re: Panorama Onboarding and Managing of PAN FW's

vivekms — Sun, 02 Feb 2025 02:13:51 GMT

Yes you have to make sure config sync is disabled and also remove the HA configuration from the template and as it a unique value local to the firewall.

Panorama-> select the Template-> High Availability-> Remove All

Re: Panorama Onboarding and Managing of PAN FW's

TomYoung — Mon, 03 Feb 2025 21:06:43 GMT

Hi @vivekms ,

HA can be pushed from Panorama with template variables. Not a big deal, just an FYI.

Thanks,

Tom