How to Perform a Device Config Import into Panorama

Printer Friendly Page

This article can assist you in importing the policies of an existing Palo Alto Networks firewall into Panorama.

 

Assumptions

  • You have a configuration on your Palo Alto Networks firewall.
  • An instance of Panorama is up and running with the same version of PAN-OS (or higher).
  • You have Web and CLI administrator access to both the firewall and Panorama.
  • The firewall has been configured to connect Panorama in Device > Setup > Management > Panorama Settings
  • The firewall's serial number has been added to Panorama and a Panorama commit has been completed
  • Panorama shows that the firewall is connected in Panorama > Managed Devices

Steps

  1. On the Panorama, navigate to Panorama > Setup > Operations
  2. Click "Import device configuration to Panorama."1.png
  3. Select the appropriate device and name the template and Device Group Name accordingly.
    For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations.2.png
  4. Once you click “OK” the configuration of the firewall will be imported to the Panorama.

     

    3.png

     

     

  5. Commit locally to Panorama to save the new Device Group and Template created by the import.
  6. Push the imported configuration back to the firewall.

    1. On the Panorama, navigate to Panorama > Setup > Operations
    2. Click on "Export or push device config bundle"1.png
    3. Choose either "Push & Commit" or "Export." 
    4.  Push & Commit. This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall.

      When you choose "Push & Commit" you will see a job triggerred on the Panorama and will see Job Status details as shown below:
      6.png 
      Export: This option will export the configuration to the firewall but not load it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed. When you choose "Export" option you will see a job triggered on the Panorama and see details as shown below:
      7.png 
    5. Note: The above two options, ("Push & Commit" & "Export") are available only for firewalls running PAN-OS 6.0.4 and later releases.
  7. After this is performed, you should Push to Devices and select the options "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.

 

 

Caveats and important notes:

-If you had previously broken a firewall off from Panorama support under Device > Setup > Panorama Settings > Disable Panorama Policy and Objects/Disable Device and Network Template and were now re-importing it into the same or another Panorama, you WILL have to ensure those options are enabled again to receive the Push and Commit or Export.

The Push and Commit would delete all local information but leaving the options to Disable Panorama's config will prevent Panorama from giving it any configuration, including management IP and default gateway (so only Console access would be possible at that time.)

 

-If multiple devices are being imported and then moved to one device group, they MUST be imported into their own new Device Group/Template and follow steps as mentioned above. Only once they are showing properly in their own Device Groups/Templates and have received all configuration pushed from Panorama can you place them into a single Device Group/Template, after which you must Commit locally to Panorama and then Push to Devices while selecting "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”.

 

-If importing a new device into Panorama via the Import Device Configuration to Panorama option, after adding it's serial number to Panorama's Managed Devices you must ensure it is NOT a part of a Device Group/Template before performing the import, as it will not show as an available device to import the configuration

 

-When performing the Import, ONLY the Running Config on the firewall is imported. If any changes were made and are only in the Candidate Config (not pushed to the firewall) then they will NOT be imported.

Tags (3)
Comments

It did not work without committing to Panorama after the import on step 4. 

Hi,

 

 

Thank you for this article, however we need to get full clarity on the Push & Commit action. 

 

This option will remove any local configuration on the firewall and push the firewall configuration stored on the Panorama.

 

However I have few case with PA3020 where the push and commit is successful but remove all policy rules and objects from the FW!

 

Pierrick

A fundamental pre-requisite step is missing and which consists of making always sure that panorama policy and objects and panorama device and networks templates are enable onto the firewall itself before pushing back the device config bundle from panorama.

 

 

panoramaconfigPNG.PNG

 

Pierrick

 

Hi plevesque,

 

That's true ... but that would mean you disabled it manually first because by default the option is enabled and should not pose a problem.

I ran into the the same issue as mentioned above, where the push and commit was successful, but I was left with an empty set of security policies on the firewall. Is it known what causes this to happen, and is there any way to avoid it? Is it recommended to use the export method instead because of this?

Is there any solution to this? Seems like pulling in already configured firewalls to Panorama after the fact is not possible without wiping the local config on a push to the newly added device.

 

If this truly is the case, then this is a horrible solution to promote central administration.