Adding a sub-interface to an exsiting Security Zone

Reply
Highlighted
L1 Bithead

Adding a sub-interface to an exsiting Security Zone

Hi,

 

I have a Palo Alto with existing security zones managed via Panorama. I need to add an existing sub-interface to an existing security zone which has been done on Panorama and committed. However, after logging into the firewall node directly the sub-interface does not show it has been assigned to the security zone.

 

Are templates only used to make firewall nodes aware of zones and assigning interfaces, sub-interfaces to zones has to be done locally on the firewalls?

 

I've been unable to find any clear documentation on this.

L7 Applicator

Re: Adding a sub-interface to an exsiting Security Zone

Hi @vvadia

 

Local on the firewall, is there only a green or a green and orange gear showing at the interface that you want to change?

L1 Bithead

Re: Adding a sub-interface to an exsiting Security Zone

Hi @vsys_remo When I log into the firewall locally, I can see there are green & orange gears in "Interfaces" and in "zones" sections. Kind Regards,
L7 Applicator

Re: Adding a sub-interface to an exsiting Security Zone

This means the config was changed locally. You need to remove the local config override to bring it again in sync with the panorama config. Then you will be able to configure and also push changes to the firewall from panorama.

L1 Bithead

Re: Adding a sub-interface to an exsiting Security Zone

Hi @vsys_remo

 

Thanks for the explanation, I guess at some point someone else has changed something locally. It does seem that adding IP objects to groups is not impacted by this as I can see that has been updated locally on the firewall, only assigning a zone to an interface is impacted.

 

For now, reading up on this, there is an element of risk to this, I don't want to be in a situation where I lose the configuration on the firewall. Strategically this does need to get fixed.

 

However, for a tactical solution I need to get working asap, would it be ok to manually assign the sub-interface to a zone? Does this only require a save or a local commit as well?

 

L1 Bithead

Re: Adding a sub-interface to an exsiting Security Zone

Actually looking at all the interfaces and sub-interfaces they all have a green/orange cog :s

 

 

L7 Applicator

Re: Adding a sub-interface to an exsiting Security Zone

Hi @vvadia

 

Yes, you can change the zone locally and do a commit. And take the time afterwards to bring the config manually in sync so that you will be able to do the changes again on panorama.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!