We are in a situation where we have over 50 Palo Altos that we have migrated to panorama over the years. Many of our Palos still have local rules on them as well as Panorama based rules. We would like to convert these firewalls to use only Panorama rules. To our understanding you can export the firewalls from Panorama and then import them again into Panorama and convert the local configuration to a Panorama based configuration. We are unable to remove the firewall from Panorama completely so that we can import it back to convert that configurationto Panorama only based rules.
After we disconnect the firewall from panorama
(Device>Setup>Management>Panorama Settings>Disable Panorama Policy & Objects) as well as (Device>Setup>Management>Panorama Settings>Disable Device and Network Template)
then we remove the device from "Device Groups" and from "Templates" we still end up with those Devices still showing in the Firewall policies. If we try to commit to Panorama the commit fails with a Validation error for the Device serial # saying that there is an ivalid reference for a security policy. In short my question is how do you remove a Firewall completely from Panorama?
Looks like you have policies that are targeted to only specific firewalls - those policies will need to be modified to remove those targets in panorama
Thank You for responding. The situation is that it errors out for all policies that contain this firewall. Due to the large number of policies that we have (DataCenter sites and Hosting sites have firewalls hundreds of policies each) we could not export and then import these devices because we would have to remove them from 1000's of policies. It wouldnt be feasible but thank you so much for responding!
Things become much more manageable if you do this directly via the XML configuration file, or through the migration tool. That may be your best option with needing to modify that many policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!