How to Perform a Device Config Import into Panorama

by achalla on ‎01-19-2016 10:50 AM - edited on ‎06-19-2017 08:57 AM by jjosephs (20,302 Views)

This article can assist you in importing the policies of an existing Palo Alto Networks firewall into Panorama.

 

Assumptions

  • You have a configuration on your Palo Alto Networks firewall.
  • An instance of Panorama is up and running with the same version of PAN-OS (or higher).
  • You have Web and CLI administrator access to both the firewall and Panorama.
  • The firewall has been configured to connect Panorama in Device > Setup > Management > Panorama Settings
  • The firewall's serial number has been added to Panorama and a Panorama commit has been completed
  • Panorama shows that the firewall is connected in Panorama > Managed Devices

Steps

  1. On the Panorama, navigate to Panorama > Setup > Operations
  2. Click "Import device configuration to Panorama."1.png
  3. Select the appropriate device and name the template and Device Group Name accordingly.
    For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations.2.png
  4. Once you click “OK” the configuration of the firewall will be imported to the Panorama.

     

    3.png

     

     

  5. Push the imported configuration back to the firewall
    1. On the Panorama, navigate to Panorama > Setup > Operations.
    2. Click on "Export or push device config bundle."1.png
  1. Choose either "Push & Commit" or "Export." 5.png
  2.  Push & Commit. This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall.

    When you choose "Push & Commit" you will see a job triggerred on the Panorama and will see Job Status details as shown below:
    6.png 
    Export: This option will export the configuration to the firewall but not load it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed. When you choose "Export" option you will see a job triggered on the Panorama and see details as shown below:
    7.png 

Note: The above two options, ("Push & Commit" & "Export") are available only for firewalls running PAN-OS 6.0.4 and later releases.

Comments
by rbista
on ‎03-18-2016 11:21 AM

It did not work without committing to Panorama after the import on step 4. 

by plevesque
on ‎08-15-2016 04:37 AM

Hi,

 

 

Thank you for this article, however we need to get full clarity on the Push & Commit action. 

 

This option will remove any local configuration on the firewall and push the firewall configuration stored on the Panorama.

 

However I have few case with PA3020 where the push and commit is successful but remove all policy rules and objects from the FW!

 

Pierrick

by plevesque
on ‎08-24-2016 04:02 AM

A fundamental pre-requisite step is missing and which consists of making always sure that panorama policy and objects and panorama device and networks templates are enable onto the firewall itself before pushing back the device config bundle from panorama.

 

 

panoramaconfigPNG.PNG

 

Pierrick

 

by
on ‎10-19-2016 05:03 AM

Hi plevesque,

 

That's true ... but that would mean you disabled it manually first because by default the option is enabled and should not pose a problem.

by cgoods
on ‎11-16-2016 05:51 PM

I ran into the the same issue as mentioned above, where the push and commit was successful, but I was left with an empty set of security policies on the firewall. Is it known what causes this to happen, and is there any way to avoid it? Is it recommended to use the export method instead because of this?

by s.williams1
on ‎10-09-2017 04:25 AM

Is there any solution to this? Seems like pulling in already configured firewalls to Panorama after the fact is not possible without wiping the local config on a push to the newly added device.

 

If this truly is the case, then this is a horrible solution to promote central administration.

 

Ask Questions Get Answers Join the Live Community