Failed to add imported nodes into Panorama

L5 Sessionator

Failed to add imported nodes into Panorama

Hey Team,

 

I thought I would share my experiences with adding firewalls into Panorama and receiving the error message in the subject. The scenario is a HA pair with multi-vsys compatibility enabled - and 5 virtual systems. In all cases, adding the Primary/Active firewall to Panorama works perfectly fine; the issue lies with adding the Secondary/Passive firewall after doing the operation "Import device configuration to Panorama" the message "Failed to add imported nodes into Panorama" is shown.

 

After looking at the confd logs with TAC we can see that its failing because it mentions that the device group names already exist. In step 5.3 in the below documentation, the device group names for the Secondary/Passive firewall have already been prefixed with a character to avoid name duplicates yet the issue still arises.

 

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/tran...

 

Upon further investigation from TACs side they gave us a workaround to modify the names of the virtual systems on the Secondary/Passive firewall then proceed once more with the import - this seems to work. As this is of course a workaround and not an actual solution they looked into this further and found that this is actually expected behaviour, but the documentation should be updated to include the below steps which also work - if anyone has ever faced this before let me know but this issue does seem specific to importing HA firewalls with multiple virtual systems so I'm surprised it hasn't been raised before.

 

1. Import device group from HA peer-1 followed by panorama commit.
2. Export, Push and commit the configuration bundle to HA Peer-1.
3. Delete Device groups from Panorama after Push&Commit to HA Peer-1.
4. Import device group from HA peer-2 followed by panorama commit.
5. Export, Push and commit the configuration bundle to HA Peer-2.
6. Associate HA peer-1 and HA peer-2 into one device group (the one created during HA Peer-2 import)

 

The steps are also the same and also work if you start with the Secondary/Passive unit and resume "HA-peer-1" is the Passive device.

 

Thanks,

Luke.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!