Is there any way to perform migration of local configured firewall to panorama management without service interruption?
I use Panorama 7.0
There is configured PA-5060 6.1.5 HA-cluster that I need to migrate to centralized Panorama Management.
Using this tech-note https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/manage-firewalls/tran...
If i migrate firewall according this guide, after step 6, there will be a service interruption, because I pushing device configuration bundle that removes local configured rules from firewall and committing it. And a this step i shall have service interruption, cause local rules removed, but panorama rules not pushed yet.
Downtime will be equal to time that i'll spend to perfoming step 7 (time for pushing buttons in GUI + time for Panorama to Commit on Device Group.)
Although I have HA-Cluster, it not useful cause HA-devices automatically syncing config between nodes.
In PanOS 6 firewall transition procedure was more complex, but in Panorama Admin Guide described HA-cutover procedure, that lead to in-service migration.
In PanOS 7 migration process little different, and cutover procedure not explained in guide, using cutover procedure from PanOS 6 might not be properly in my case.
Is there way to migrate configured firewall to panorama without service interruption ?
Solved! Go to Solution.
for this type of migration: from a standalone device to a completely panorama-controlled device, there will always be a service interruption as you need to replace all local policies/interface config/.. with the panorama pushed equivalent
you are not simply replacing a policy with an identical policy, you are replacing a whole set of objects that have a specific ID on the underlying system and are tied to the session table
try these commands to illustrate what I mean:
debug device-server dump idmgr type security-rule all
if you check the ID associated with a rule, you may notice it does not correspond necessarily with the order in which the rule appears in the policy, this is because the ID is assigned based on when it is created rather than it's position in the policy
Thanks for explanation.
As i understand panorama creating new rules with new ID.
It initiates session teardown, cause original rule associated with sessison is removed.
I had this question because last time that i did firewall migration. After just after pushing configuration bundle my PC suspended, and i needed to urgetly search another for logun to GUI, and commit panorama configuration to device group/template.
And part of data center was out of service for couple of minutes.
And another qusetion:
What if i push conifguration bundle, but not commit it, and then commit from panorama to device group?
Can i remove local and push rules from panorama in one step, at same action?
As you describe there still be interruption, but it can rectify human factor.
I migrated firewall to panorama management.
Panorama version 7.0.17
Firewall version 6.1.5
I imported configuration,
Commited on panorama.
Then perform push&commit configuration bundle to active device.
Services not interrupted, sessions not teared down.
In this case it worked perfectly.
But there was issue related to version mismatch between panorama and firewall.
Namely parameter Same System MAC Address For Active-Passive HA not existed in PanOS 7. And panorama couldn't commit device template cause this option in empty. Some manipulation with cleaning config through API resolved this issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!