Duplicate config in panorama managed firewall

Mohanlalsaini — Wed, 29 Jun 2022 04:10:36 GMT

Hi Team,

In my firewall i can 2 configuration at the same time. One i pushed from panorama and one is local that is scyronized from the passive peer. i can see everything is duplicate. How can i remove the duplicate config ( Local config from the firewall and keep the panorama pushed only.

Thanks in advance

Re: Duplicate config in panorama managed firewall

Mohanlalsaini — Wed, 29 Jun 2022 04:27:03 GMT

and i have the device state of the firewall before this duplicate config happened. Can I import this device state to remove the duplicate config.

Re: Duplicate config in panorama managed firewall

aleksandar.astardzhiev — Wed, 29 Jun 2022 20:47:16 GMT

Hi @Mohanlalsaini ,

Let first discuss something fundamental - Templates vs Device Groups:

- Device Groups are used to push objects and policies and security profiles. For example here you define address objecets and use them in security rules. Basically it is defining the firewall security functions

- Templates are used to push device and networking configuration. For example what NTP and DNS should the device use and what IP addresses are assigned on the device.

Panorama GUI is trying to help you to remember which settings where are managed by the brackets above the relevant tabs:

Now you probably know this already, but it important to mention it, because there is fundamental difference between Templates and Device Groups about how they handel local configuration.

- Device Groups - Even without Panorama (local fw config) you cannot have multiple object sharing the same name, or multiple rules/policies using the exact same name. This way firewall will not know who to handle the traffic (which object in which rule is used, or which rule is actually used). You still can create local rules and objects in case of emeregency - for example security engineer with access to panorama is not available, but local network engineer need to allow some traffic to solve user incident/request. The idea here is that your "global policy" pushed by the panorama could explicitly deny some traffic at the top of the policy, so no local rule will be able to be put at the top and bypass the global block rule.

- Templates - none of the configuration defined in the template can have multiple values (you can have multiple hostnames, or multiple primary IPs on dataplane interfaces, etc), like with firewall rules. Which means if there is local config and config pushed from Panorama, firewall needs to choose which one to use. Now by default firewall will prefer the local configuration over the one pushed from Panorama. The idea behind this approach is that it is more common for local admin to override these settings. For example your panorama is pushing the IP assigned to the outside interface, but the ISP needs to change it, so the local network admin can override the config from panorama and apply the new IP. Another example is if your global policy define the use of specific NTP, but one specific site has issues and wants to use different one.

One way to remove the local config and apply the panorama pushed is to go over each config and click on "revert" button. After that you need to commit locally on the firewall. This way will give you the option to review the configuration before commit, but it could be painful if there is a lot to revert.

The other option would be to push template configuration from panorama, but this time enable "Force Template Values". This will force the firewall to remove any local configuration that is already defined in the template. Thi will not delete any local config that is not part of the template.

Push to Device -> Edit Selection -> enable "Force Template Values"

Re: Duplicate config in panorama managed firewall

Mohanlalsaini — Fri, 01 Jul 2022 10:53:04 GMT

HI Thanks for your replay. The issue is resolved now. We have the device state backup from the firewall ( before the issue). we have import it then issue resolved.

topic Re: Duplicate config in panorama managed firewall in Panorama Discussions

Duplicate config in panorama managed firewall

Re: Duplicate config in panorama managed firewall

Re: Duplicate config in panorama managed firewall

Re: Duplicate config in panorama managed firewall