https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/522852#M108313 <P>day1 is intended to be the very first config you put on a device so you have a good baseline of preconfigured security profiles and security settings.&nbsp;</P> <P>a good way to integrate it into panorama would be to import it and set it as a shared template / shared device group objects so it can permeate into your other firewalls</P> <P>&nbsp;</P> <P>your use case will be somewhat difficult as you already have a config in panorama which will overwrite or ignore the (local) day1 config. if you want to use day1, it is best to also import that into panorama and merge both configurations</P> Wed, 30 Nov 2022 09:55:54 GMT reaper 2022-11-30T09:55:54Z https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/514163#M106918 <P>Hi All,</P> <P>We would be needing suggestion on the below scenario:</P> <P>&nbsp;</P> <P>We are having an new Palo-Alto firewall connected via management console in our data center which is integrated with Panorama and we have pre-configured the box by pushing the templates available in panorama. Now we are moving the box to the&nbsp; location and mounting it and planning to perform initial configurations by connecting the firewall to the actual network. Our client suggested to upload the DAy-1 configuration&nbsp; file to the palo-Alto firewall while assigning the mgmt IP to the firewall.&nbsp;</P> <P>&nbsp;</P> <P>Query is:</P> <P>1. Is the above condition will works ? If yes, will both our pre-configured configurations and Day-1 configuration will be present in our firewall ?</P> <P>2. will the day-1 configurations will be local to firewall and if yes,&nbsp; is there any way to manage it via Panorama.&nbsp;</P> Wed, 07 Sep 2022 14:41:03 GMT https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/514163#M106918 Sujanya 2022-09-07T14:41:03Z https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/522852#M108313 <P>day1 is intended to be the very first config you put on a device so you have a good baseline of preconfigured security profiles and security settings.&nbsp;</P> <P>a good way to integrate it into panorama would be to import it and set it as a shared template / shared device group objects so it can permeate into your other firewalls</P> <P>&nbsp;</P> <P>your use case will be somewhat difficult as you already have a config in panorama which will overwrite or ignore the (local) day1 config. if you want to use day1, it is best to also import that into panorama and merge both configurations</P> Wed, 30 Nov 2022 09:55:54 GMT https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/522852#M108313 reaper 2022-11-30T09:55:54Z https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/522869#M108316 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/216045">@Sujanya</a> ,</P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a> is correct that ideally the Day 1 Configuration is for Day 1, but it is good to try to add them later rather than never.</P> <P>&nbsp;</P> <P>If you load the Day 1 Configuration on the NGFW and then add it to the appropriate device group and template stack in Panorama:</P> <P>&nbsp;</P> <OL> <LI>The above configuration will work.</LI> <LI>The Day 1 Configuration will be local to the firewall. <OL class="lia-list-style-type-lower-alpha"> <LI>If you have duplicate policies or objects, you will get an error.&nbsp; This is unlikely unless you have configured some Day 1 items before.</LI> <LI>Network or device configurations will not be overwritten unless you select Force Template Values.</LI> </OL> </LI> </OL> <P>To manage the Day 1 Config from Panorama, you have a few of options.</P> <P>&nbsp;</P> <OL> <LI>Import the firewall configuration into separate a separate device group and template (1st URL below).&nbsp; Messy.</LI> <LI>Import the NGFW configuration to Panorama and load config partial the pieces (2nd URL below).&nbsp; Still messy.</LI> <LI>Create a Day 1 Configuration for Panorama.&nbsp; Maybe messy maybe not.<BR /> <OL class="lia-list-style-type-lower-alpha"> <LI>Import but do not load it.&nbsp; Do not load the Day 1 Configuration on the NGFW.</LI> <LI>Add the Day 1 Configuration device group and template to the candidate configuration via load config partial.</LI> <LI>Nest the Day 1 Configuration device group (sample_devicegroup) into your hierarchy and add the Day 1 Configuration template (iron-skillet) to your stack.</LI> </OL> </LI> </OL> <P>Try the commands below <EM>at your own risk </EM>to see if it adds the Panorama Day 1 Configuration device group and template to your Panorama candidate configuration.</P> <P>&nbsp;</P> <P>load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='sample_devicegroup'] &nbsp;to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group from &lt;day1filename&gt;</P> <P>&nbsp;</P> <P>load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='iron-skillet'] &nbsp;to-xpath /config/devices/entry[@name='localhost.localdomain']/template from &lt;day1filename&gt;</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS</A></P> <P><A href="https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/load-a-partial-firewall-configuration-into-panorama" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/load-a-partial-firewall-configuration-into-panorama</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>Edit:&nbsp; With regard to Panorama, loading the Day 1 Configuration for a new Panorama build is ideal.&nbsp; It also includes modifications to the "shared" device group and items under the Panorama tab in addition to the device group and templates referenced above.</P> Wed, 30 Nov 2022 16:04:05 GMT https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/522869#M108316 TomYoung 2022-11-30T16:04:05Z https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/523116#M108349 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp; /<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>&nbsp;,</P> <P><BR />Thanks for the clear explanation. I will follow the same.</P> Fri, 02 Dec 2022 10:08:15 GMT https://live.paloaltonetworks.com/t5/general-topics/suggestion-on-initial-configuration-of-palo-alto/m-p/523116#M108349 Sujanya 2022-12-02T10:08:15Z