https://live.paloaltonetworks.com/t5/general-topics/one-template-in-panorama-for-ha-pair-of-firewalls/m-p/167683#M53530 <P><SPAN>Transition/migrate HA pair to firewall</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>I followed those instructions <A href="https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/migrate-a-firewall-to-panorama-management#_39720" target="_blank">https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/migrate-a-firewall-to-panorama-management#_39720</A>, steps from 1 to 7 and successfully migrated 3 HA pairs to Panorama management.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>After migration I've got in Panorama 3 device groups and 6 device templates. </SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>In this document <A href="https://live.paloaltonetworks.com/t5/Management-Articles/Any-special-considerations-when-importing-HA-firewall/ta-p/114668" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Any-special-considerations-when-importing-HA-firewall/ta-p/114668</A> is written that each firewall has to use its own template (bellow special note). This limitation is annoying and can lead to mistakes. After checking template values I think there is no need for this limitation and I think I could put both firewalls into the same template because relevant values for HA aren't part of the template (e.g. High Availability - General - Preemptive - Device Priority).</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Is this correct, or has anyone experience with such deployment (two firewalls and one template) in the production (<A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-add-a-locally-managed-firewall-to-panorama-management/tac-p/165380#M" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-add-a-locally-managed-firewall-to-panorama-management/tac-p/165380#M</A>)?</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Regards Milan</SPAN></P> Fri, 21 Jul 2017 13:24:47 GMT Milan_Lesnik 2017-07-21T13:24:47Z https://live.paloaltonetworks.com/t5/general-topics/one-template-in-panorama-for-ha-pair-of-firewalls/m-p/167683#M53530 <P><SPAN>Transition/migrate HA pair to firewall</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>I followed those instructions <A href="https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/migrate-a-firewall-to-panorama-management#_39720" target="_blank">https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/migrate-a-firewall-to-panorama-management#_39720</A>, steps from 1 to 7 and successfully migrated 3 HA pairs to Panorama management.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>After migration I've got in Panorama 3 device groups and 6 device templates. </SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>In this document <A href="https://live.paloaltonetworks.com/t5/Management-Articles/Any-special-considerations-when-importing-HA-firewall/ta-p/114668" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/Any-special-considerations-when-importing-HA-firewall/ta-p/114668</A> is written that each firewall has to use its own template (bellow special note). This limitation is annoying and can lead to mistakes. After checking template values I think there is no need for this limitation and I think I could put both firewalls into the same template because relevant values for HA aren't part of the template (e.g. High Availability - General - Preemptive - Device Priority).</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Is this correct, or has anyone experience with such deployment (two firewalls and one template) in the production (<A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-add-a-locally-managed-firewall-to-panorama-management/tac-p/165380#M" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-add-a-locally-managed-firewall-to-panorama-management/tac-p/165380#M</A>)?</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Regards Milan</SPAN></P> Fri, 21 Jul 2017 13:24:47 GMT https://live.paloaltonetworks.com/t5/general-topics/one-template-in-panorama-for-ha-pair-of-firewalls/m-p/167683#M53530 Milan_Lesnik 2017-07-21T13:24:47Z https://live.paloaltonetworks.com/t5/general-topics/one-template-in-panorama-for-ha-pair-of-firewalls/m-p/167707#M53533 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37841">@Milan_Lesnik</a></P><P>&nbsp;</P><P>We already have a lot of such deployments. The dedicated template is only in the migration. After that you're free to change everything you want. You only need dedicated templates when you use them for settings which aren't the same on both firewalls.</P><P>In your case it is no problem to use one template for both clustermembers. In my case we use template stacks which contain multiple templates (global settings template, clustersettings template and devicespecific templates for each firewall with settings like mgmt ip, hostname ...)</P><P>&nbsp;</P><P>Just keep in mind that you need to delete the devicespecific values from the import templates and the you could apply this one template to both firewalls of your HA pair.</P><P>&nbsp;</P><P>Hope this helps.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Fri, 21 Jul 2017 15:04:32 GMT https://live.paloaltonetworks.com/t5/general-topics/one-template-in-panorama-for-ha-pair-of-firewalls/m-p/167707#M53533 Remo 2017-07-21T15:04:32Z https://live.paloaltonetworks.com/t5/general-topics/one-template-in-panorama-for-ha-pair-of-firewalls/m-p/167826#M53567 <P>Hi</P><P>&nbsp;</P><P>It helps, thank you for the answer.</P><P>&nbsp;</P><P>During migration dedicated template, after migration one template for both firewalls.</P><P>&nbsp;</P><P>Regards Milan</P> Sat, 22 Jul 2017 19:32:39 GMT https://live.paloaltonetworks.com/t5/general-topics/one-template-in-panorama-for-ha-pair-of-firewalls/m-p/167826#M53567 Milan_Lesnik 2017-07-22T19:32:39Z