topic Re: Integrating Panorama with existing PAN Firewalls? in General Topics

Integrating Panorama with existing PAN Firewalls?

WillWylie — Thu, 10 Dec 2015 14:03:30 GMT

I've inherited an environment where Panorama was an afterthought for 60+ PAN firewalls. Finally convinced management to buy Panorama after we terminated the reason for this mess and had to change passwords on 60+ firewalls individually.

The problem I'm running into is that almost every firewall has different polcies, objects, network profiles and everything else. I can import the device configuration to Panorama, but then I end up with 60+ device groups. Trying to move the devices into a device group and applying the settings fails due to the existing objects.

Whats the best way to handle this? Having 60+ device groups defeats the purpose of central management. I do have the device and network templates working as they should.

Re: Integrating Panorama with existing PAN Firewalls?

BenjAudy.MTL — Fri, 11 Dec 2015 19:02:50 GMT

Hi,

The import is just the initial step of managing your firewalls centrally from Panorama. It's up to you to create the proper device groups. Do you have the exact error message for the existing objects? Do you still have local objects on your firewalls?

Benjamin

Re: Integrating Panorama with existing PAN Firewalls?

pulukas — Fri, 11 Dec 2015 23:47:41 GMT

I feel your pain. I've done a number of conversions from local to Panorama device groups and they are not at all fun and a whole lot of work. But in the end the effort is worth it.

Start with deciding how many groups the 60 devices can be reasonably divided into.

Collect all the common across all group settings.

Create a naming convention so that all objects will be consistently created.

Determine if all policy can be held in the group of if some local policies will be required. And if they are needed then choose the pre or post common rule set model for the group.

I tended to create most objects as global so they could be used across the groups.

Start with a small device and make the naming convention changes and system harminizations. Once ready I used this process to get the devices into Panorama.

I would run these procedures with a lab PA and lab Panorama until the scripts were well honed

create a rollback file for both the device an panorama before starting so there is an easy fallback point

Create the Panorama group

Export the local configuration and create backup snapshots

Import the local configuration as a file to panorama. This will just be used as a source to import objects to global.

Use load config partial [filename] to pull objects from this file into the shared objects in Panorama

object order:

Re: Integrating Panorama with existing PAN Firewalls?

cpainchaud — Mon, 14 Dec 2015 09:09:17 GMT

Pulukas is giving serious hints.

Yet if you don't feel like doing this alone, you should try to contact your PAN sales to get in touch with our Professional Services. They can help you to draft a safe plan with procedures and even execute it.

Thx

Re: Integrating Panorama with existing PAN Firewalls?

AJR15 — Tue, 15 Dec 2015 14:39:34 GMT

I recommend getting comfortable with doing large load config partial's of xml configs and using a text editor like notepad ++ to find replace and add something simply to the end or beginning of the object names in order to avoid duplicates.

once you have everything managed by the pan you can delete and/or rename objects, it is also my understanding that newer versions of the migration tool will enable this feature pretty seamlessly. assuming the vm/tool is approved to run on customers network.

on a side note, if the devices dont exist at all in panorama yet, if you have panorama 7.x.x you can import the device under setup and operations and I've had great luck with that. if you have issues committing with this method due to duplicate names you can delete many of the objects locally and leave as a candidate config then when you push from pano make sure you have 'merge with candidate config' checked off.