Integrating Panorama with existing PAN Firewalls?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Integrating Panorama with existing PAN Firewalls?

L1 Bithead

I've inherited an environment where Panorama was an afterthought for 60+ PAN firewalls. Finally convinced management to buy Panorama after we terminated the reason for this mess and had to change passwords on 60+ firewalls individually. 

 

The problem I'm running into is that almost every firewall has different polcies, objects, network profiles and everything else. I can import the device configuration to Panorama, but then I end up with 60+ device groups. Trying to move the devices into a device group and applying the settings fails due to the existing objects. 

 

Whats the best way to handle this? Having 60+ device groups defeats the purpose of central management. I do have the device and network templates working as they should. 

4 REPLIES 4

L4 Transporter

Hi,

 

The import is just the initial step of managing your firewalls centrally from Panorama. It's up to you to create the proper device groups. Do you have the exact error message for the existing objects? Do you still have local objects on your firewalls?

 

Benjamin

L7 Applicator

I feel your pain.  I've done a number of conversions from local to Panorama device groups and they are not at all fun and a whole lot of work.  But in the end the effort is worth it.

 

Start with deciding how many groups the 60 devices can be reasonably divided into.  

 

Collect all the common across all group settings.

 

Create a naming convention so that all objects will be consistently created.

 

Determine if all policy can be held in the group of if some local policies will be required.  And if they are needed then choose the pre or post common rule set model for the group.

 

I tended to create most objects as global so they could be used across the groups.

 

Start with a small device and make the naming convention changes and system harminizations.  Once ready I used this process to get the devices into Panorama.

 

I would run these procedures with a lab PA and lab Panorama until the scripts were well honed

 

create a rollback file for both the device an panorama before starting so there is an easy fallback point

 

Create the Panorama group

Export the local configuration and create backup snapshots

Import the local configuration as a file to panorama.  This will just be used as a source to import objects to global.

Use load config partial [filename] to pull objects from this file into the shared objects in Panorama

object order:

tags

addresses

address groups

services

service groups

custom applications

profiles

profile groups

Security policies

nat policies

application override policies

 

delete all the local cofiguration objects but do not commit

Add the device to panorama

commit and override from panorama

 

Schedule the migrations.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Pulukas is giving serious hints.

 

Yet if you don't feel like doing this alone, you should try to contact your PAN sales to get in touch with our Professional Services. They can help you to draft a safe plan with procedures and even execute it.

 

Thx

L1 Bithead

I recommend getting comfortable with doing large load config partial's of xml configs and using a text editor like notepad ++ to find replace and add something simply to the end or beginning of the object names in order to avoid duplicates.  

 

once you have everything managed by the pan you can delete and/or rename objects, it is also my understanding that newer versions of the migration tool will enable this feature pretty seamlessly.  assuming the vm/tool is approved to run on customers network.

 

on a side note, if the devices dont exist at all in panorama yet, if you have panorama 7.x.x you can import the device under setup and operations and I've had great luck with that.  if you have issues committing with this method due to duplicate names you can delete many of the objects locally and leave as a candidate config then when you push from pano make sure you have 'merge with candidate config' checked off.

  • 4459 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!