I am looking to move my firewalls from one Panorama (7.0.3) device group to a new device group. All active policy rules have been cloned over to the new device group from the existing device group, and the objects are all "shared".
Even though all the rules being installed are the same, and being installed on the same set of firewalls, just under a new device group name. I fear that since there are active NAT rules, and there may be some NAT related issues when the new device group gets applied.
Does any one know of any issues when migrating between device groups?
Solved! Go to Solution.
Here is the response from Palo Alto support -
it is suggested to perform the change during a maintenance window since its wiping and rewriting to the firewall.
Although all objects and policies might be identical, because the firewall is being moved between different device groups the entire previous configuration will get removed and replaced by a new one (replacing the old xml with a new one in essence)
This means all objects will be removed and readded and could be assigned a different 'id' by the idmgr process, causing mismatches in existing sessions (each newly added object, zone, rule, ... is assigned an 'id' which is then used by the underlying engines to properly match sessions)
It's recommended to perform this task during a maintenance window to minimise impact
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!