scenario: When provisioning a standalone firewall with panorama and performing a config-sync to a non-panorama-managed passive HA peer, there are not policies etc.
After exporting the xml config from the active peer, I noticed, that the xml does not contain any policy rulesets and objects.
Now I wonder:
What happens if panorama is not available and a firewall reboots?
Where are the policies stored? Do they survive a reboot when no panorama config is available?
Is there a way to sync a panorama pushed-config to a passive-peer when creating a cluster?
As you guys know, sometimes you cannot just push the config from panorama to the secondary passive peer, because a few dependencies get messy (DG does not work, because of no zone, Template push does not work because zone-protection log-forwarding profile is in the DG config)
Any hints are appreciated
Solved! Go to Solution.
You won't see Panorama pushed policies in the firewalls XML running configuration correct. However, you will see it in the device state (you can export it from GUI).
If the Panorama becomes unavailable and Panorama reboots, or if the firewall becomes disconnected from the Panorama - the policies will still remain so no worries about that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!