Failed to add imported nodes into Panorama

LukeBullimore — Mon, 15 Oct 2018 14:58:59 GMT

Hey Team,

I thought I would share my experiences with adding firewalls into Panorama and receiving the error message in the subject. The scenario is a HA pair with multi-vsys compatibility enabled - and 5 virtual systems. In all cases, adding the Primary/Active firewall to Panorama works perfectly fine; the issue lies with adding the Secondary/Passive firewall after doing the operation "Import device configuration to Panorama" the message "Failed to add imported nodes into Panorama" is shown.

After looking at the confd logs with TAC we can see that its failing because it mentions that the device group names already exist. In step 5.3 in the below documentation, the device group names for the Secondary/Passive firewall have already been prefixed with a character to avoid name duplicates yet the issue still arises.

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management

Upon further investigation from TACs side they gave us a workaround to modify the names of the virtual systems on the Secondary/Passive firewall then proceed once more with the import - this seems to work. As this is of course a workaround and not an actual solution they looked into this further and found that this is actually expected behaviour, but the documentation should be updated to include the below steps which also work - if anyone has ever faced this before let me know but this issue does seem specific to importing HA firewalls with multiple virtual systems so I'm surprised it hasn't been raised before.

1. Import device group from HA peer-1 followed by panorama commit.
2. Export, Push and commit the configuration bundle to HA Peer-1.
3. Delete Device groups from Panorama after Push&Commit to HA Peer-1.
4. Import device group from HA peer-2 followed by panorama commit.
5. Export, Push and commit the configuration bundle to HA Peer-2.
6. Associate HA peer-1 and HA peer-2 into one device group (the one created during HA Peer-2 import)

The steps are also the same and also work if you start with the Secondary/Passive unit and resume "HA-peer-1" is the Passive device.

Thanks,

Luke.

Re: Failed to add imported nodes into Panorama

JD-SECD — Fri, 12 Jun 2020 13:47:51 GMT

This was a great solution to this problem! its crazy this isn't documented! I was running PANOS 9.0.8 on both the firewall (PA-3220) and the Panorama-VM.

I suppose PANW thinks folks are going to start the multi-vsys configuration from Panorama? Like you mentioned, perhaps there aren't enough people facing this issue to rewrite that article.

Re: Failed to add imported nodes into Panorama

VittoriaLorusso — Mon, 03 Aug 2020 11:03:27 GMT

Also me I had this problem, Why the TAC doesn't update the procedure? Also a footnote would be much appreciated.

topic Re: Failed to add imported nodes into Panorama in General Topics

Failed to add imported nodes into Panorama

Re: Failed to add imported nodes into Panorama

Re: Failed to add imported nodes into Panorama