topic Re: Can Panorama managed devices be configured via the CLI? in General Topics

Can Panorama managed devices be configured via the CLI?

darren_g — Tue, 03 Nov 2020 03:36:12 GMT

Hey folks.

I'm adding a Panorama server into my infrastructure to enable zero touch SDWAN provisioning, and since I've never done Panorama before, I've got a question.

Can panorama managed devices be configured via the CLI?

The reason I ask this is that I do a fair bit of work with AWS and VPC's - and configuring a new VPC into AWS is mostly done via a script that AWS provides which you modify to suit your environment and cut and paste into your firewall via CLI to configure the IPSec tunnels and routing involved.

I *could* go through the script and add the required sections via the GUI - but doing it via CLI is so much easier.

So once I add my firewalls into Panorama, does anyone know if can I still do the configuration via CLI? or will I be forced to transpose everything into the GUI and push it to the firewalls that way?

Thanks for any insight

Re: Can Panorama managed devices be configured via the CLI?

S.Cantwell — Tue, 03 Nov 2020 13:27:41 GMT

Good Day

For the most part... 99% of what you can do in the GUI can be done in the CLI.

That being said... it is much easier to use the GUI, especially when this product is designed to create "snippets" or templates, as they are called in Panorama. These templates are whatever configuration (limited to Network and Device tabs on FWs). So think about login banner, domain name, dynamic update scheduling, authentication servers, interface management profiles, etc)

In addition, the Panorama also is used for Device Groups (Policy and Object tabs in FWs), so think in terms of shared best practice policies, shared objects, shared content ID profiles, etc.

So yes, it is all possible to do via the command line or API commands if you like.

Thanks for the question. Anything else?

Re: Can Panorama managed devices be configured via the CLI?

darren_g — Wed, 17 Feb 2021 04:40:40 GMT

Wow, sorry for the late reply to this - it seems I either missed the notification of your reply, or it didn't get swent.

Thanks for that - so it seems if I have to do the text based configurations, I can - but will the firewall sync this back to Panorama once it's done?

Can you point me to a Panorama adoption or getting started guide? I've built the server, but I haven't yet imported into it - mainly because I've been too busy, but also because I'm wary of breaking things.

Thanks for your reply!

Re: Can Panorama managed devices be configured via the CLI?

S.Cantwell — Wed, 17 Feb 2021 12:16:32 GMT

Darren

Thanks for returning to us! We missed you.

I wanted to clarify m y statement, that when a device is under Panorama control, the configuration items I was discussing was ON the Panorama, and then you push your changes to the FW. The FW does not sync it changes to the Panorama, but the other way away... it synchs changes FROM the Panorama.

As for the link.. here it is..

https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama.html

Have a great day.

Re: Can Panorama managed devices be configured via the CLI?

aleksandar.astardzhiev — Wed, 17 Feb 2021 16:09:45 GMT

Hi @darren_g

You still can configure firewall that is managed by Panorama, but the config you apply stays locally. It will not sync with Panorama.

In addition when you put Panorama to the equasion you need to start imagine the firewall configuration as to separate parts

- rules, objects and anything related to policies (policy and objects tabs in fw gui)

- network and device config (network and device tabs in the fw gui)

Config under network and device can have only one value, so if you configure something via Panorama, you can override it locally

Config under policy and object can have many values, so any rule created locally will mix with the rules received from the Panorama. But as you can imagine you cannot have two objects or rules with same name, so if you try to configure something locally that is already pushed by panorama the commit will fail.