topic Re: Non-interruptive Panorama device migration in General Topics

Non-interruptive Panorama device migration

VAntonenko — Wed, 11 Jan 2017 06:00:32 GMT

Hello!

Is there any way to perform migration of local configured firewall to panorama management without service interruption?

For example:
I use Panorama 7.0
There is configured PA-5060 6.1.5 HA-cluster that I need to migrate to centralized Panorama Management.

Using this tech-note https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/manage-firewalls/transition-a-firewall-to-panorama-management.html

If i migrate firewall according this guide, after step 6, there will be a service interruption, because I pushing device configuration bundle that removes local configured rules from firewall and committing it. And a this step i shall have service interruption, cause local rules removed, but panorama rules not pushed yet.

Downtime will be equal to time that i'll spend to perfoming step 7 (time for pushing buttons in GUI + time for Panorama to Commit on Device Group.)
Although I have HA-Cluster, it not useful cause HA-devices automatically syncing config between nodes.

In PanOS 6 firewall transition procedure was more complex, but in Panorama Admin Guide described HA-cutover procedure, that lead to in-service migration.

In PanOS 7 migration process little different, and cutover procedure not explained in guide, using cutover procedure from PanOS 6 might not be properly in my case.

Is there way to migrate configured firewall to panorama without service interruption ?

Re: Non-interruptive Panorama device migration

reaper — Wed, 11 Jan 2017 13:17:26 GMT

for this type of migration: from a standalone device to a completely panorama-controlled device, there will always be a service interruption as you need to replace all local policies/interface config/.. with the panorama pushed equivalent

you are not simply replacing a policy with an identical policy, you are replacing a whole set of objects that have a specific ID on the underlying system and are tied to the session table

try these commands to illustrate what I mean:

debug device-server dump idmgr type security-rule all

if you check the ID associated with a rule, you may notice it does not correspond necessarily with the order in which the rule appears in the policy, this is because the ID is assigned based on when it is created rather than it's position in the policy

Re: Non-interruptive Panorama device migration

VAntonenko — Thu, 12 Jan 2017 11:23:26 GMT

Thanks for explanation.

As i understand panorama creating new rules with new ID.

It initiates session teardown, cause original rule associated with sessison is removed.

Ok.

I had this question because last time that i did firewall migration. After just after pushing configuration bundle my PC suspended, and i needed to urgetly search another for logun to GUI, and commit panorama configuration to device group/template.

And part of data center was out of service for couple of minutes.

And another qusetion:

What if i push conifguration bundle, but not commit it, and then commit from panorama to device group?

Can i remove local and push rules from panorama in one step, at same action?

As you describe there still be interruption, but it can rectify human factor.

Re: Non-interruptive Panorama device migration

VAntonenko — Fri, 12 May 2017 08:07:51 GMT

I migrated firewall to panorama management.

Panorama version 7.0.17

Firewall version 6.1.5

I imported configuration,

Commited on panorama.

Then perform push&commit configuration bundle to active device.

Services not interrupted, sessions not teared down.

In this case it worked perfectly.

But there was issue related to version mismatch between panorama and firewall.

Namely parameter Same System MAC Address For Active-Passive HA not existed in PanOS 7. And panorama couldn't commit device template cause this option in empty. Some manipulation with cleaning config through API resolved this issue.