topic Panorama import local managed device issue in Panorama Discussions

Panorama import local managed device issue

TonyTam — Fri, 15 Oct 2021 05:41:08 GMT

I added a PA to panorama test lab with version 9.1.11 them import configuration. However I am unable to push config from panorama to PA and I found below errors which showing customized application is in use, then I need to delete many objects and policies on PA firewall to push configuration. I want to know is it a normal practice for Panorama to manage production PA in the first time? Many thanks!

Details:
. Validation Error:
. application -> Custom-IE 'Custom-IE' is already in use
. application is invalid
. Error: Profile compile error, duplicated name Block files
. Error: Profile compiler : Block files invalid type 5
. Error: Profile compiler : invalid profile name Block files
. Error: Profile compiler : Vsys section error
. Error: Profile compiler : parsing config error
. (Module: device)
. Commit failed

Re: Panorama import local managed device issue

PavelK — Fri, 15 Oct 2021 07:09:26 GMT

Thank you for posting question @TonyTam

Regarding the error you posted, you will have to resolve it first before you can push the configuration back to Firewall. Unfortunately there is no other way around except deleting it or renaming.

I can't really say what the best practice is, but there are only 2 options.

Either onboard new Firewall. Here is corresponding Best Practice Link: https://docs.paloaltonetworks.com/best-practices/10-1/best-practices-for-managing-firewalls-with-panorama/adding-firewalls-to-panorama/use-case-onboarding-new-next-generation-firewalls-to-panorama.html

Or migrate existing Firewall by importing configuration to Panorama and pushing it back to Firewall. Here is corresponding Best Practice: https://docs.paloaltonetworks.com/best-practices/10-1/best-practices-for-managing-firewalls-with-panorama/adding-firewalls-to-panorama/use-case-migrate-your-next-generation-firewalls-to-panorama.html#id50db55bc-c363-4194-b1bf-e22c50f6ae99

In my case when we deployed Panorama we already had several Firewalls deployed in production and despite the fact there was an option to migrate Firewall to Panorama by importing configuration, I opted for onboarding it as a new Firewall then I pushed all the configuration from Device Group and Template Stack and deleted all local configuration as far as I could. What I personally did not like about importing existing configuration were 2 things:

- Local configuration was already messy and not following any convention, so I did not want to import messy configuration and turn it into Device Group/Template.

- I wanted to avoid issue you posted here that by importing I need to resolve several issue first. Also, I was afraid of merging of config and forcing of Template Values especially for critical Firewalls.

By pushing new configuration by Panorama with different naming convention than local configuration has avoided any configuration duplication. This approach has still several disadvantages. It is time consuming to clean up all local configuration and unless I select: "Force Template Values" most of the configuration is pushed but not applied unless I override it and commit it locally. At this moment I have under Panorama over 150+ Firewalls and I used the same approach regardless it is brand new device or existing one that I turned into Panorama managed. We have decided not to use Panorama for interface configuration and routing. This is what we manage locally as we would like to have more control and avoid operational mistakes by pushing something centrally that will break control plane.

If you have greenfield deployment I would leverage Panorama as much as you can. Unless you are concerned about some of the points I mentioned I do not discourage you to use import of local configuration to Panorama and pushing it back. I know many admins that use it successfully in their deployments.

Kind Regards

Pavel

Re: Panorama import local managed device issue

TonyTam — Fri, 15 Oct 2021 08:12:40 GMT

Thanks for your suggestion.

According to below KB, I found that I miss the important part "Export or push device config bundle".

Seems the most convenient method to delete all local configuration when pushing.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS

Push the device configuration bundle to the firewall to remove all policies and objects from the local configuration. Go to Panorama > Setup > Operations and click 'Export or push device config bundle'. Select the Device from which you imported the configuration, click OK, and click Push & Commit.

Re: Panorama import local managed device issue

TomYoung — Tue, 09 Nov 2021 17:17:02 GMT

@TonyTam is correct. When you initially import a firewall configuration into Panorama, you need to "Export or push device config bundle" to remove the local configuration and replace with Panorama configuration. If you try Commit > Push to Devices you will get the "already in use" or "duplicated name" errors. You only have to do it once, and then you can manage from Panorama normally.

Re: Panorama import local managed device issue

RodyDeLaRosa — Tue, 23 Apr 2024 20:25:22 GMT

Thank you for the detailed explanations, @PavelK and @TomYoung we ran into plenty of conflicts onboarding firewalls that were already part of our infrastructure. I have found that not moving the firewall from the DG and Template it creates until the config package has been successfully pushed helps minimize conflicts. I also found that sometimes the error output will flag items that are clearly in the configuration in Panorama but are not being recognized by the firewall during the push. No other solution has worked besides re-adding the object locally on the firewall and then committing the config locally as well. After that the commit succeeds and the device can be moved to the preferred DG and template stack. Hope this helps anyone else who runs into this.