topic Re: Panorama templates for an Active/Passive setup? in General Topics

Panorama templates for an Active/Passive setup?

jsalmans — Wed, 09 Jan 2019 17:06:57 GMT

I'm in the process of setting up our new firewalls. I went ahead and set up management on each of them, got them updated, got them paired up into Active/Passive, and am now following the Palo Alto 8.1 guide to migrate an HA config over to Panorama. I'm almost to the end but I have a question concerning the templates. The instructions say to delete the template for the secondary and then add the secondary into the template for the primary, but it also says:

"Do not combine the HA firewall pair in to a single template if a unique Hostname, management IP address, or HA configuration is configured for each HA peer."

I find this a little confusing since everything I've read indicates that each unit in the A/P pair still has to have unique management IP, hostname, etc.

The guide I'm following is here:

https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management

Can anyone clue me in on what best practices is here? My intention was to have a single config with A/P so I don't have to duplicate VPN changes on a second template. The instructions say to turn config sync back on at the end too so it sounds like it is supposed to use a single template but then wouldn't that mean the passive firewall would be unreachable on its management port, even to Panorama?

Thanks!

Re: Panorama templates for an Active/Passive setup?

dstjames — Wed, 09 Jan 2019 19:56:54 GMT

I usually setup the hostname, management IP and HA information locally on each firewall then push everything else out from a single template to both firewalls.

I also have 2 templates that I have setup in a template stack. 1 that has basic configurations that I want all firewalls in the environment to have like NTP servers, logging servers, etc. Then I have a specific template for each HA pair in the template stack and push the template stack out to the firewalls. This way you can make sure that the common settings are applied the exact same to all firewalls in the environment but also maintain individual site settings.

Not sure if this is best practice but its how I configured it.

Re: Panorama templates for an Active/Passive setup?

jsalmans — Wed, 09 Jan 2019 20:07:01 GMT

@dstjamesthanks for the reply. That is actually what I ended up trying and it seems to work. Panorama actually has no config information for those fields and they're just defined locally on the firewalls. Since they won't sync even after config sync is re-enabled, they should remain unique on each.

I'm really curious why the instructions are worded like that... it doesn't make it clear if they're talking about management IP/hostname config in the Panorama templtate or the settings on the local configs on the firewalls.