topic Re: Adding a sub-interface to an exsiting Security Zone in General Topics

Adding a sub-interface to an exsiting Security Zone

vvadia — Sat, 10 Nov 2018 12:32:49 GMT

Hi,

I have a Palo Alto with existing security zones managed via Panorama. I need to add an existing sub-interface to an existing security zone which has been done on Panorama and committed. However, after logging into the firewall node directly the sub-interface does not show it has been assigned to the security zone.

Are templates only used to make firewall nodes aware of zones and assigning interfaces, sub-interfaces to zones has to be done locally on the firewalls?

I've been unable to find any clear documentation on this.

Re: Adding a sub-interface to an exsiting Security Zone

Remo — Sat, 10 Nov 2018 12:39:00 GMT

Hi @vvadia

Local on the firewall, is there only a green or a green and orange gear showing at the interface that you want to change?

Re: Adding a sub-interface to an exsiting Security Zone

vvadia — Sat, 10 Nov 2018 12:53:01 GMT

Hi @Remo When I log into the firewall locally, I can see there are green & orange gears in "Interfaces" and in "zones" sections. Kind Regards,

Re: Adding a sub-interface to an exsiting Security Zone

Remo — Sat, 10 Nov 2018 13:18:04 GMT

This means the config was changed locally. You need to remove the local config override to bring it again in sync with the panorama config. Then you will be able to configure and also push changes to the firewall from panorama.

Re: Adding a sub-interface to an exsiting Security Zone

vvadia — Sat, 10 Nov 2018 13:36:10 GMT

Hi @vsys_remo

Thanks for the explanation, I guess at some point someone else has changed something locally. It does seem that adding IP objects to groups is not impacted by this as I can see that has been updated locally on the firewall, only assigning a zone to an interface is impacted.

For now, reading up on this, there is an element of risk to this, I don't want to be in a situation where I lose the configuration on the firewall. Strategically this does need to get fixed.

However, for a tactical solution I need to get working asap, would it be ok to manually assign the sub-interface to a zone? Does this only require a save or a local commit as well?

Re: Adding a sub-interface to an exsiting Security Zone

vvadia — Sat, 10 Nov 2018 13:44:00 GMT

Actually looking at all the interfaces and sub-interfaces they all have a green/orange cog :s

Re: Adding a sub-interface to an exsiting Security Zone

Remo — Sat, 10 Nov 2018 13:53:31 GMT

Hi @vvadia

Yes, you can change the zone locally and do a commit. And take the time afterwards to bring the config manually in sync so that you will be able to do the changes again on panorama.