How to Perform a Device Config Import into Panorama

• You have a configuration on your Palo Alto Networks Firewall
• An instance of Panorama is up and running with the same version of PAN-OS (or higher)
• You have Web and CLI administrator access to both the firewall and Panorama
• The firewall has been configured to connect Panorama in Device > Setup > Management > Panorama Settings
• The firewall's serial number has been added to Panorama and a Panorama commit has been completed
• Panorama shows that the firewall is connected in Panorama > Managed Devices

• Any Panorama managing Firewalls.
• PAN-OS 8.1 and above.

1. On the Panorama, navigate to Panorama > Setup > Operations
2. Click Import device configuration to Panorama

3. Select the appropriate device and name the template and Device Group Name accordingly.

4. Click OK, then the configuration of the firewall will be imported to the Panorama

5. Commit locally to Panorama to save the new Device Group and Template created by the import
6. Push the imported configuration back to the firewall
   1. On the Panorama, navigate to Panorama > Setup > Operations
   2. Click on "Export or push device config bundle"

3. Choose either "Push & Commit" or "Export." 
4. Push & Commit. This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall.

 

 

5. Note: The above two options, ("Push & Commit" & "Export") are available only for firewalls running PAN-OS 6.0.4 and later releases

7. After this is performed, you should Push to Devices and select the options:
   • Merge with Device Candidate Config
   • Include Device and Network Templates
   • Force Template Values

For Firewalls in High Availability mode, Please refer Migrate a firewall HA pair to Panorama Management.

• If you had previously broken a firewall off from Panorama support under Device > Setup > Panorama Settings > Disable Panorama Policy and Objects/Disable Device and Network Template and were now re-importing it into the same or another Panorama, you WILL have to ensure those options are enabled again to receive the Push and Commit or Export.
• The Push and Commit would delete all local information but leaving the options to Disable Panorama's config will prevent Panorama from giving it any configuration, including management IP and default gateway (so only Console access would be possible at that time.)
• If multiple devices are being imported and then moved to one device group, they MUST be imported into their own new Device Group/Template and follow steps as mentioned above. Only once they are showing properly in their own Device Groups/Templates and have received all configuration pushed from Panorama can you place them into a single Device Group/Template, after which you must Commit locally to Panorama and then Push to Devices while selecting "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.
• If importing a new device into Panorama via the Import Device Configuration to Panorama option, after adding it's serial number to Panorama's Managed Devices you must ensure it is NOT a part of a Device Group/Template before performing the import, as it will not show as an available device to import the configuration
• When performing the Import, ONLY the Running Config on the firewall is imported. If any changes were made and are only in the Candidate Config (not pushed to the firewall) then they will NOT be imported.