Adding a sub-interface to an exsiting Security Zone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Adding a sub-interface to an exsiting Security Zone

L1 Bithead

Hi,

 

I have a Palo Alto with existing security zones managed via Panorama. I need to add an existing sub-interface to an existing security zone which has been done on Panorama and committed. However, after logging into the firewall node directly the sub-interface does not show it has been assigned to the security zone.

 

Are templates only used to make firewall nodes aware of zones and assigning interfaces, sub-interfaces to zones has to be done locally on the firewalls?

 

I've been unable to find any clear documentation on this.

1 accepted solution

Accepted Solutions

Hi @vvadia

 

Yes, you can change the zone locally and do a commit. And take the time afterwards to bring the config manually in sync so that you will be able to do the changes again on panorama.

View solution in original post

6 REPLIES 6

L7 Applicator

Hi @vvadia

 

Local on the firewall, is there only a green or a green and orange gear showing at the interface that you want to change?

Hi @Remo When I log into the firewall locally, I can see there are green & orange gears in "Interfaces" and in "zones" sections. Kind Regards,

This means the config was changed locally. You need to remove the local config override to bring it again in sync with the panorama config. Then you will be able to configure and also push changes to the firewall from panorama.

Hi @vsys_remo

 

Thanks for the explanation, I guess at some point someone else has changed something locally. It does seem that adding IP objects to groups is not impacted by this as I can see that has been updated locally on the firewall, only assigning a zone to an interface is impacted.

 

For now, reading up on this, there is an element of risk to this, I don't want to be in a situation where I lose the configuration on the firewall. Strategically this does need to get fixed.

 

However, for a tactical solution I need to get working asap, would it be ok to manually assign the sub-interface to a zone? Does this only require a save or a local commit as well?

 

Actually looking at all the interfaces and sub-interfaces they all have a green/orange cog :s

 

 

Hi @vvadia

 

Yes, you can change the zone locally and do a commit. And take the time afterwards to bring the config manually in sync so that you will be able to do the changes again on panorama.

  • 1 accepted solution
  • 5275 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!