topic How do you Commit the configuration of a Panorama to an existing HA Pair of 5060s? in General Topics

How do you Commit the configuration of a Panorama to an existing HA Pair of 5060s?

Nonno1 — Wed, 05 Mar 2014 16:32:47 GMT

I followed the instructions from “Panorama-Device-Migration-Tech_Note-revB.pdf” using the CLI method to capture the configuration of an HA Pair of 5060 running PAN OS 5.0.11 and paste it to the Panorama running PAN OS 6.0. The Migration Checklist states during the cutover process to cutover 1 firewall first. The document states after deleting the Rules, objects etc. on the FW, when committing the configuration to the HA pair, follow the documented HA procedure to minimize network impact. What are they referring to when they say “follow the documented HA procedure? I cannot find anything referencing what they mean. I figure I should leave the passive FW alone and do the Active one first because when doing a commit on the Active FW it usually pushes the configuration to the Passive FW.

But, What impact does the Device Group have when you set the FWs up as an HA pair in the Device Group? Also, when deleting the items from the Active FW, should I also delete them from the Passive FW?

Another approach that I have read is to rename the objects, policies etc. on the Panorama then commit it to the FWs. What does that do to the existing configuration on the FW? Is there now a duplicate configuration with a different set of names? Or does it overwrite the existing configuration?

Lots of questions and scenarios that I cannot find answers to anywhere.

Re: How do you Commit the configuration of a Panorama to an existing HA Pair of 5060s?

HULK — Wed, 05 Mar 2014 20:29:05 GMT

Hello Nonno1,

Point-1: We will add devices into Panorama based on their Serial number, and it does not matter from Panorama point of view, whether the devices are standalone or in HA. The panorama will always treat as an individual device. Please follow the mentioned KB article to understand information synchronized in HA pair Information Synchronized in an HA Pair

NOTE: If you use untrust interface of the device as service route, the configuration will be pushed only to active device (assuming policies are configured correctly) because only 1 IP is active at a time for active/passive, even though you have the same IP on both devices. Suggested configuration would be to use management interface itself. Since the management IP address is unique for both devices, you will not have any issues and will prevent extra bandwidth consumption on untrust interface.

Point-2: If you want to merge the panorama pushed config with your PAN FW local config, you should use the option "merge with candidate config". But if you want to override your FW config with Panorama pushed config, then you have to check the option "Force template values".

Hope this helps.

Thanks

Re: How do you Commit the configuration of a Panorama to an existing HA Pair of 5060s?

Nonno1 — Thu, 06 Mar 2014 13:33:36 GMT

I will give this a try.

Our SE answered my question this morning also. The only addition he made was to Disable Config Sync in the FWs before pushing configuration from Panorama.

Thank You