https://live.paloaltonetworks.com/t5/general-topics/panorama-and-active-active-configurations/m-p/252817#M71839 <P>Hi,</P><P>&nbsp;</P><P>Recently, we added more PA devices to our infrastructure and we decided to start using Panorma to manage all these devices.</P><P>So far, we haven't experienced an improvement in efficiency or user/admin friendliness.</P><P>&nbsp;</P><P>Let me (try to) explain:</P><P>We have two firewalls who are configured as an active/active setup. (No panorma yet).</P><P>These firewalls had to use different virtual router configuration so that part could not be synced.</P><P>Whenever we needed to add policies, we could perform this on one node and let commit do the replication as well.</P><P>&nbsp;</P><P>Now, with Panorma added, things apparantly have changed but, the way I see it, not necessarily for the better.</P><P>Changes now need to happen at the Panorama (makes sense), but because of earlier mentioned virtual router situation these firewalls cannot be added together in a device group or so I'm told.</P><P>And this means whenever a (policy) change needs to be implemented it needs to be done seperately on both firewalls through seperate push and commits?</P><P>&nbsp;</P><P>Please help me understand this better, or explain what can be improved in this situation. To configure Panorama to help us more instead of creating more work.</P> Fri, 08 Mar 2019 08:06:49 GMT mvdven 2019-03-08T08:06:49Z https://live.paloaltonetworks.com/t5/general-topics/panorama-and-active-active-configurations/m-p/252817#M71839 <P>Hi,</P><P>&nbsp;</P><P>Recently, we added more PA devices to our infrastructure and we decided to start using Panorma to manage all these devices.</P><P>So far, we haven't experienced an improvement in efficiency or user/admin friendliness.</P><P>&nbsp;</P><P>Let me (try to) explain:</P><P>We have two firewalls who are configured as an active/active setup. (No panorma yet).</P><P>These firewalls had to use different virtual router configuration so that part could not be synced.</P><P>Whenever we needed to add policies, we could perform this on one node and let commit do the replication as well.</P><P>&nbsp;</P><P>Now, with Panorma added, things apparantly have changed but, the way I see it, not necessarily for the better.</P><P>Changes now need to happen at the Panorama (makes sense), but because of earlier mentioned virtual router situation these firewalls cannot be added together in a device group or so I'm told.</P><P>And this means whenever a (policy) change needs to be implemented it needs to be done seperately on both firewalls through seperate push and commits?</P><P>&nbsp;</P><P>Please help me understand this better, or explain what can be improved in this situation. To configure Panorama to help us more instead of creating more work.</P> Fri, 08 Mar 2019 08:06:49 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-and-active-active-configurations/m-p/252817#M71839 mvdven 2019-03-08T08:06:49Z https://live.paloaltonetworks.com/t5/general-topics/panorama-and-active-active-configurations/m-p/253918#M72083 <P>Hi</P> <P>&nbsp;</P> <P>You want to look into using template stacks</P> <P>This allows for 2 or more firewalls to have certain shared and certain not-shared config bits to still happily coexist in a single device group</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks" target="_blank">https://docs.paloaltonetworks.com/panorama/8-0/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/templates-and-template-stacks</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Mar 2019 12:57:05 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-and-active-active-configurations/m-p/253918#M72083 reaper 2019-03-15T12:57:05Z