manage standalone or in panorama

Reply
Highlighted
Not applicable

manage standalone or in panorama

I heard its best to manage the firewalls in Panorama.  I have imported the primary and secondary firewalls into Panorama.....i had 1 security rule that i added directly into the firewall (not via Panorama) - any ideas why i cant see this rule from Panorama?  just trying to understand this before i start adding rules and updating the firewalls

thanks for any help

Sue


Accepted Solutions
Highlighted
L4 Transporter

Re: manage standalone or in panorama

Hi Sue,

Please use the link below which provides you the steps to import config from PA firewall into Panorama.

https://live.paloaltonetworks.com/docs/DOC-1742

Hope this helps.

Thanks.

View solution in original post


All Replies
Highlighted
L3 Networker

Re: manage standalone or in panorama

Hi Sue,

Rules should be created on Panorama and pushed to the managed devices.  Rules to not get pushed to Panorama from the managed devices.

Regards,

Oliver

Highlighted
L4 Transporter

Re: manage standalone or in panorama

Just to add to Oliver's update. If there is a policy on the device panorama will not know about that policy as there is no reverse syncing of policy from device back to panorama. Please create policies on panorama and then push it to the device from panorama. Hope this helps.

Thanks

Highlighted
Not applicable

Re: manage standalone or in panorama

ok thanks

so lets say I have a standalone PA500 thats working and in production and then we decide to buy a panorama server - is there a way to get the configured box into Panorama?

Sue

Highlighted
Not applicable

Re: manage standalone or in panorama

if there is a way to import a production PA firewall config into Panorama, can someone please post the steps needed to do this?

thanks

Sue

Highlighted
L4 Transporter

Re: manage standalone or in panorama

Hi Sue,

Please use the link below which provides you the steps to import config from PA firewall into Panorama.

https://live.paloaltonetworks.com/docs/DOC-1742

Hope this helps.

Thanks.

View solution in original post

Highlighted
Not applicable

Re: manage standalone or in panorama

thanks for your information

Sue

Highlighted
Not applicable

Re: manage standalone or in panorama

Sue,

One other thing that I will mention when you migrate your objects and rulebases over to Panorama.  Remember to delete your objects and object groups from the main firewalls before pushing the policies from Panorama to them.  The reason for this is that you will have failures pushing the policies because Panorama will attempt to push a duplicate object name to the firewall where it already exists.

It was a little annoying at first, but I soon discovered that it can be quite handy to use Panorama as the central repository for all of your objects and object groups.  Where this gets handy is that if you need to create local policies on the firewall, you can use those shared objects for your local rules.  In our environment we have several PA firewalls and in most cases the objects used on them are going to be similar.  I can create the objects on Panorama and push the updated configuration to all of the firewalls.

One other thing to add.  If you want to use Panorama to collect the logs for your firewalls you will have to implicitly specify that the rules be sent to Panorama.  Inititally I assumed that if I created the rules in Panorama that the logs would get sent to Panorama, but that isn't the case.

Hope this helps.

Not applicable

Re: manage standalone or in panorama

thanks for all the information

I have got the 2 2020's configured and in sync so now I will import to panorama

appreciate all the info

Sue

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!