How to Perform a Device Config Import into Panorama

by achalla on ‎01-19-2016 10:50 AM - edited on ‎11-09-2016 07:39 AM by (17,591 Views)

This article can assist you in importing the policies of an existing Palo Alto Networks firewall into Panorama.

 

Assumptions

  • You have a configuration on your Palo Alto Networks firewall.
  • An instance of Panorama is up and running with the same version of PAN-OS (or higher).
  • You have Web and CLI administrator access to both the firewall and Panorama.

Steps

  1. On the Panorama, navigate to Panorama > Setup > Operations
  2. Click "Import device configuration to Panorama."1.png
  3. Select the appropriate device and name the template and Device Group Name accordingly.
    For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations.2.png
  4. Once you click “OK” the configuration of the firewall will be imported to the Panorama.

     

    3.png

     

    WARNING: The rule with the same name should be deleted on the Panorama. If the rule names are not unique, the commit will fail on the Panorama.

     

  5. After importing the Device Group and Template they appear out of sync. 

    4.png

      

  6. Push a configuration from Panorama to the firewall to ensure the Panorama and firewall are in sync.

    This can be done either by 'Push & Commit' or by 'Export.'

     

To Export the Configuration from Panorama back to the firewall:

  1.  On the Panorama, navigate to Panorama > Setup > Operations.
  2. Click on "Export or push device config bundle."1.png
  3. Choose either "Push & Commit" or "Export." 5.png
  4.  Push & Commit. This option will remove any local configuration on the firewall and push the firewall configuration stored on the Panorama. When you choose "Push & Commit" you will see a job triggerred on the Panorama and will see Job Status details as shown below:
    6.png 
    Export: This option will export the configuration to the firewall but not load it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed. When you choose "Export" option you will see a job triggered on the Panorama and see details as shown below:
    7.png 

Note: The above two options, ("Push & Commit" & "Export") are available only for firewalls running PAN-OS 6.0.4 and later releases.

Comments
by rbista
on ‎03-18-2016 11:21 AM

It did not work without committing to Panorama after the import on step 4. 

by plevesque
on ‎08-15-2016 04:37 AM

Hi,

 

 

Thank you for this article, however we need to get full clarity on the Push & Commit action. 

 

This option will remove any local configuration on the firewall and push the firewall configuration stored on the Panorama.

 

However I have few case with PA3020 where the push and commit is successful but remove all policy rules and objects from the FW!

 

Pierrick

by plevesque
on ‎08-24-2016 04:02 AM

A fundamental pre-requisite step is missing and which consists of making always sure that panorama policy and objects and panorama device and networks templates are enable onto the firewall itself before pushing back the device config bundle from panorama.

 

 

panoramaconfigPNG.PNG

 

Pierrick

 

by
on ‎10-19-2016 05:03 AM

Hi plevesque,

 

That's true ... but that would mean you disabled it manually first because by default the option is enabled and should not pose a problem.

by cgoods
on ‎11-16-2016 05:51 PM

I ran into the the same issue as mentioned above, where the push and commit was successful, but I was left with an empty set of security policies on the firewall. Is it known what causes this to happen, and is there any way to avoid it? Is it recommended to use the export method instead because of this?

by s.williams1
2 weeks ago

Is there any solution to this? Seems like pulling in already configured firewalls to Panorama after the fact is not possible without wiping the local config on a push to the newly added device.

 

If this truly is the case, then this is a horrible solution to promote central administration.

 

Ask Questions Get Answers Join the Live Community