moving firewall from one device group to another

L4 Transporter

moving firewall from one device group to another

I have one parent device group with  7 firewalls.

I have created 2 new device groups and i need to move 4 firewalls from the parent device group into these 2 new device groups.so  each new device group will have 2 firewalls each.

 

right now issue is that when we push policy to 1 firewall  it does out of syn for remaining.

As all these firewalls need separte policies as they are on different networks

 

how can i do this ?

i do not want to create outage.

 

 

L7 Applicator

Re: moving firewall from one device group to another

Hi @MP18

 

Do you have all policies configured in panorama? If yes, then it is a lohical step that the remaining firewalls will be out of sync if you only commit to one of them. But out of sync is not really a problem. It only means what it says: panorama and firewall are out of sync, this will not generate an outtage in your network. With panorama you have the advantage that you can prepare everything as you need it and then push the changes to each firewall untill your device group move is done and every policy is where you need it.

L4 Transporter

Re: moving firewall from one device group to another

for these firewalls they have polices on individual firewalls only.

Only policies that are pushed from panorama to these firewall are external dynamic policies and they are  only 4 in number.

 

 

L7 Applicator

Re: moving firewall from one device group to another

In this case you need to make sure that the devicegroups still contain all the objects that you have used locally. If the objects are in the parent device group anyway then there shouldn't be a problem. You simply need to push the config to all firewalls and they will be in sync again.

L4 Transporter

Re: moving firewall from one device group to another

correct me if i am wrong I need to make sure if current device group has polices or objects pushed to firewalls then i should make sure those gets moved to the new device group right?

 

Local config on the firewall does not come in the picture right?

L7 Applicator

Re: moving firewall from one device group to another

Right now you have one device group and you will change it to the following right?

- Parent device group (objects are configured here)

     - child device group 1 (4 firewalls will be attached here)

     - child device group 2 (3 firewalls will be attached here)

L4 Transporter

Re: moving firewall from one device group to another

Right now i have Parent device group 

 

xy  7 firewalls

 

will create two new device groups

 

test 1  2  firewalls

 

test 2   2 firewalls

 

Final  

 

xyz - parent    3 firewalls

 

test 1   2 firewalls

 

test 2   firewalls

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!