topic Re: configuration change used to be pushed to firewall in General Topics

configuration change used to be pushed to firewall

kevinospf — Wed, 13 Sep 2023 18:39:03 GMT

Hi Configuration change in template/stack used to be pushed to the firewall from panorama. but now after some change(creating new zone etc) made on template is pushed to the firewall, the change cannot be seen at the firewall again. so the configuration not be pushed to the firewall. Palo alto firewall is connected to panorama normally and it shows its in Sync status. Please see the below screenshot. Did I miss some step? Thanks

Re: configuration change used to be pushed to firewall

Claw4609 — Wed, 13 Sep 2023 18:44:09 GMT

On the firewall itself are you seeing the commit job taking place and completely successfully? If so is it possible whatever your are pushing from Panorama has the config overridden on the local firewall?

If you look at the template stack, not the template, in Panorama are the changes reflected there fine?

Re: configuration change used to be pushed to firewall

PavelK — Thu, 14 Sep 2023 00:42:37 GMT

Hello @kevinospf

only to add a few points to @Claw4609 great answer.

There should be no issue with pushing a zone to managed Firewall. I would recommend to check that Template is part of Template Stack where Firewall is assigned and also check the order of Template in Template Stack. For overlapping configurations the priority of Templates in Template Stack is from top to bottom.

Make sure that local configuration is not overriding Template configuration. KB for reference: Pushed config from Panorama not being applied on the local Firewall.

If there is no issue with above points, I would be looking into configuration logs to see what is really happing under: Monitor > Logs > Configuration and for more detailed logs in CLI: tail follow yes mp-log configd.log

Kind Regards

Pavel

Re: configuration change used to be pushed to firewall

kevinospf — Thu, 14 Sep 2023 01:07:36 GMT

Thanks for your reply.

No I cannot see it at all. did I miss some steps?

Looks like some configuration cannot be pushed as the push button is grayed out, while other can be pushed to firewall sometimes.

Are there any rules to control this?

Re: configuration change used to be pushed to firewall

PavelK — Thu, 14 Sep 2023 04:29:47 GMT

Hello @kevinospf

thank you for reply.

At this point, I would try to remove the problematic configuration from your Template, commit it to Panorama, then add the same configuration, commit it and push it again to managed Firewall. While this is being pushed, I would watch out for this job in managed Firewall from task menu:

Once this completes and desired configuration is not in the place, I would review logs on Panorama and managed Firewall to see in depth what was configured:

Panorama: tail follow yes mp-log configd.log

FW: tail follow yes mp-log devsrv.log

Regarding your question whether there is any configuration that can't be pushed from Panorama, the short answer is basically everything that is configurable in Device Group and Template can be pushed. There might be some corner cases, but I could not find any documentation that would pointed out to specific configuration that can't be done from Panorama.

Kind Regards

Pavel

Re: configuration change used to be pushed to firewall

kevinospf — Mon, 18 Sep 2023 16:59:18 GMT

@PavelK

Thanks for your reply. You are right. After test based on what you talked above, I know why some change could not be push via Template.

One more question, Pushing template change does not need Device group change, but pushing Device group change to firewalll needs the Template, is this correct? Please see the below screanshot

Re: configuration change used to be pushed to firewall

PavelK — Mon, 18 Sep 2023 23:39:04 GMT

Hello @kevinospf

thank you for reply.

The "Reference Templates" configuration in Device Group is not mandatory. Technically both Device Group and Template stack are independent configurations, however in some scenarios they have dependency on each other. The Reference Templates is used in the case you are pushing Device Group configuration to the Firewall that has no Template Stack assigned. For example you need zones from Template to push policies in Device Group. Could you check this tutorial: Why Would I Need to Create Reference Templates in Device Groups? and documentation Reference Template (Refer to step No.4).

Kind Regards

Pavel

Re: configuration change used to be pushed to firewall

kevinospf — Tue, 19 Sep 2023 02:04:15 GMT

@PavelK Thank you PavelK for your answer

You talked as below. I have not understand comletely. I can see and check logs in Dashboad. but it looks like the logs are very brief and simple. Is there detail logs in somewhere else?

What does that mean? regarding " tail follow yes mp-log configd.log"

------------------

Once this completes and desired configuration is not in the place, I would review logs on Panorama and managed Firewall to see in depth what was configured:

Panorama: tail follow yes mp-log configd.log

FW: tail follow yes mp-log devsrv.log

Re: configuration change used to be pushed to firewall

PavelK — Tue, 19 Sep 2023 05:30:42 GMT

Hello @kevinospf

thank you for reply.

To get more detailed log to troubleshoot the issue, you should SSH to Panorama, then issue in CLI this command: tail follow yes mp-log configd.log. From CLI you typically get more information compared to logs in GUI.

Kind Regards

Pavel