https://live.paloaltonetworks.com/t5/general-topics/xml-config-from-panorama-managed-device-where-are-the-policies/m-p/245874#M70048 <P>Hi community,</P><P>&nbsp;</P><P>scenario: When provisioning a standalone firewall with panorama and performing a config-sync to a non-panorama-managed passive HA peer, there are not policies etc.</P><P>After exporting the xml config from the active peer, I noticed, that the xml does not contain any policy rulesets and objects.</P><P>&nbsp;</P><P>Now I wonder:<BR />What happens if panorama is not available and a firewall reboots?</P><P>Where are the policies stored? Do they survive a reboot when no panorama config is available?</P><P>Is there a way to sync a panorama pushed-config to a passive-peer when creating a cluster?</P><P>&nbsp;</P><P>As you guys know, sometimes you cannot just push the config from panorama to the secondary passive peer, because a few dependencies get messy (DG does not work, because of no zone, Template push does not work because zone-protection log-forwarding profile is in the DG config)</P><P>&nbsp;</P><P>Any hints are appreciated</P><P>&nbsp;</P><P>Best Regards</P><P>Chacko</P> Mon, 14 Jan 2019 12:58:45 GMT Chacko42 2019-01-14T12:58:45Z https://live.paloaltonetworks.com/t5/general-topics/xml-config-from-panorama-managed-device-where-are-the-policies/m-p/245874#M70048 <P>Hi community,</P><P>&nbsp;</P><P>scenario: When provisioning a standalone firewall with panorama and performing a config-sync to a non-panorama-managed passive HA peer, there are not policies etc.</P><P>After exporting the xml config from the active peer, I noticed, that the xml does not contain any policy rulesets and objects.</P><P>&nbsp;</P><P>Now I wonder:<BR />What happens if panorama is not available and a firewall reboots?</P><P>Where are the policies stored? Do they survive a reboot when no panorama config is available?</P><P>Is there a way to sync a panorama pushed-config to a passive-peer when creating a cluster?</P><P>&nbsp;</P><P>As you guys know, sometimes you cannot just push the config from panorama to the secondary passive peer, because a few dependencies get messy (DG does not work, because of no zone, Template push does not work because zone-protection log-forwarding profile is in the DG config)</P><P>&nbsp;</P><P>Any hints are appreciated</P><P>&nbsp;</P><P>Best Regards</P><P>Chacko</P> Mon, 14 Jan 2019 12:58:45 GMT https://live.paloaltonetworks.com/t5/general-topics/xml-config-from-panorama-managed-device-where-are-the-policies/m-p/245874#M70048 Chacko42 2019-01-14T12:58:45Z https://live.paloaltonetworks.com/t5/general-topics/xml-config-from-panorama-managed-device-where-are-the-policies/m-p/245922#M70057 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/79934">@Chacko42</a></P><P>&nbsp;</P><P>You won't see Panorama pushed policies in the firewalls XML running configuration correct. However, you will see it in the device state (you can export it from GUI).</P><P>&nbsp;</P><P>If the Panorama becomes unavailable and Panorama reboots, or if the firewall becomes disconnected from the Panorama - the policies will still remain so no worries about that.</P> Mon, 14 Jan 2019 16:25:10 GMT https://live.paloaltonetworks.com/t5/general-topics/xml-config-from-panorama-managed-device-where-are-the-policies/m-p/245922#M70057 LukeBullimore 2019-01-14T16:25:10Z