I heard its best to manage the firewalls in Panorama. I have imported the primary and secondary firewalls into Panorama.....i had 1 security rule that i added directly into the firewall (not via Panorama) - any ideas why i cant see this rule from Panorama? just trying to understand this before i start adding rules and updating the firewalls
thanks for any help
Solved! Go to Solution.
Rules should be created on Panorama and pushed to the managed devices. Rules to not get pushed to Panorama from the managed devices.
Just to add to Oliver's update. If there is a policy on the device panorama will not know about that policy as there is no reverse syncing of policy from device back to panorama. Please create policies on panorama and then push it to the device from panorama. Hope this helps.
so lets say I have a standalone PA500 thats working and in production and then we decide to buy a panorama server - is there a way to get the configured box into Panorama?
Please use the link below which provides you the steps to import config from PA firewall into Panorama.
Hope this helps.
One other thing that I will mention when you migrate your objects and rulebases over to Panorama. Remember to delete your objects and object groups from the main firewalls before pushing the policies from Panorama to them. The reason for this is that you will have failures pushing the policies because Panorama will attempt to push a duplicate object name to the firewall where it already exists.
It was a little annoying at first, but I soon discovered that it can be quite handy to use Panorama as the central repository for all of your objects and object groups. Where this gets handy is that if you need to create local policies on the firewall, you can use those shared objects for your local rules. In our environment we have several PA firewalls and in most cases the objects used on them are going to be similar. I can create the objects on Panorama and push the updated configuration to all of the firewalls.
One other thing to add. If you want to use Panorama to collect the logs for your firewalls you will have to implicitly specify that the rules be sent to Panorama. Inititally I assumed that if I created the rules in Panorama that the logs would get sent to Panorama, but that isn't the case.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!