Zone rename effects on Shared Policies

Highlighted
L2 Linker

Zone rename effects on Shared Policies

After a company acquisition we have inherited about 25 firewalls which I have recently migrated to a single Panorama instance, along with shared policies and templates, and in the process of building shared policies for the entire fleet.

 

For the shared policies to work, zone names need to be consistent across about 40 odd gateways, unfortunatley there is a mix of zone names and not all the devices use the same zone for the same function (e.g. in some cases Global Protect clients terminate in the VPN zone as do L2L VPNs, I want to move the L2L VPNs to the trusted zone instead, some gateways use outside, others use untrusted etc.)

 

So I am embarking on a mass zone-rename task, which is relatively daunting considering access to some remote gateways is via SDWAN to a device behind the firewall, and renaming these zones will affect SDWAN connectivity. Those are in the hard basket I will probably use temporary VPNs to manage the transition.

 

For the simple gateways i.e. access TO the firewall is not THROUGH it, I have a direct path to the management interface. Renaming zones on these sound simple, especially when Panorama will rename the zones within policies too. This is great for the local Device Group, where policies will be updated with their respective zone names, however I have found Panorama will rename instances of the zone in use in all policies inherited by the gateway, including the Shared Policy - we have already acommodated several different zone names in the shared policy and I do not want the shared policy to be modified as it applies to many other gateways, so renaming the zone on one managed device has the potential to affect all managed devices through the shared policy change.

 

Is there any way I can avoid the change to the shared policy? Or must I preview the changes and back-out the shared policy changes that took effect when renaming the zone?

 

This should be the easy part... renaming zones on remote gateways where access to the device is through it will be a real challenge :)

L2 Linker

Re: Zone rename effects on Shared Policies

It's worse than I thought - Panorama will rename the zone in Shared Policies regardless of whether the device in question is a target for the rule.

 

What started out as a simple idea turns out to be bigger than Ben-Hur, a change of epic proportions for a truckload of PA-220's, 500's (signing my life away to commits), 850's, a couple 3220's and some VAs.

 

All to make policy management simpler.

 

There must be an easier way?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!