topic Re: moving away from a disconnected panorama in General Topics

moving away from a disconnected panorama

JasonY — Wed, 12 Apr 2017 15:26:34 GMT

Hi All,

we recently got disconnected from the parent company and I ended up with all the network access and policies that I can't edit, and i'm afraid to touch the disconnect from panorma without asking first...

If I disconnected, will the policies becames local ann I can edit them? or what's the best scenario?

I'm database developer that inherited a user/pass to our firewall/router/vpn and many blocked policies that we need to loosen.. for a PA500

any help is appreciated please.

thanks

Jason

Re: moving away from a disconnected panorama

bradk14 — Wed, 12 Apr 2017 15:17:01 GMT

There are a couple of options.

First (and probably most preferable in your case) is to determine whether the Panorama policies are Pre-Rules or Post-Rules. If they are Post-Rules, you should be able to create your own policies on the local firewall which will effectively override Panorama rules as it's a top-down, first match approach.

If that's not an option, you can indeed prevent Panorama from affecting local policies, at which point you should have the option to import/copy the Panorama policies into the local firewall.

I would advise reading this document before making that decision: https://live.paloaltonetworks.com/t5/Management-Articles/Disable-Panorama-Policy-and-Objects-Disable-Device-and-Network/ta-p/76539

Re: moving away from a disconnected panorama

JasonY — Wed, 12 Apr 2017 15:25:14 GMT

Hi and Thanks for stepping in, which option won't drop the netowrk or at least would bring it down for couple of minutes, also which one is revirsable if something went wrong?

I'd think option#1 will be better, but how to tell the post or Pre rules?

Re: moving away from a disconnected panorama

bradk14 — Wed, 12 Apr 2017 15:30:35 GMT

Hi and Thanks for stepping in, which option won't drop the netowrk or at least would bring it down for couple of minutes, also which one is revirsable if something went wrong?

neither should bring the network down. what you are effectively doing is taking away Panorama's ability to dictate policies with the second option, but it's still actually connected and reporting to Panorama as far as I know.

I'd think option#1 will be better, but how to tell the post or Pre rules?

easiest way is to create a local policy. if it shows up at the top, then you can override Panorama as you wish. if it's at the bottom, Panorama will enforce its rules first. And of course it can end up in the middle if Panorama is using both pre and Post rules.

Re: moving away from a disconnected panorama

JasonY — Wed, 12 Apr 2017 15:36:44 GMT

Great! can I use that to just create a basic policy to allow all for example?

https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/set-up-basic-security-policies

Re: moving away from a disconnected panorama

bradk14 — Wed, 12 Apr 2017 15:47:01 GMT

you could, just to see where it ends up in the list, but I wouldn't advise performing a commit with it in a production environment. if you're just trying to test the waters, I would impose limits on some level such as limiting source zone/ip to your own. Remember it's a top-down approach, so if you put a generic allow any rule at the top, it means your firewall is effectively not doing anything and will allow all traffic to and from anywhere (though as a safeguard, you are forced to actively choose the ANY option for the destination zone and source zone if that's your aim).

Re: moving away from a disconnected panorama

JasonY — Wed, 12 Apr 2017 18:01:48 GMT

thank you so much, that worked !! it was on the top, I commited and everything worked again, now i'll start to figure out how to play wit the policies