Nominated Discussion: Move Firewall to New Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member
No ratings

This Nominated Discussion Article is based on the post "Move Firewall to New Panorama " by @securehops  and answered by Cyber Elite @TomYoung.

 

 

Hi All,


We currently have 2 Panoramas (virtual) managing different firewalls..  We'd like to move all firewalls to 1 pano, so we can retire the other one.   What's the best/safest way to accomplish that?  Is there a way to avoid having duplicate objects while migrating or would it be a cleanup effort after the fact.   It's a mix of standalone firewalls and HA (active/passive) firewalls.   These are all in production, so concerned about downtime.

 

I know there is a process to import standalone firewalls into panorama, but these firewalls are already managed by pano.

Response: 

 

Thank you for the excellent info.  Let me answer your 2 questions 1st:

 

  1. You do not have to move all of the config locally.  You can import the device configuration (including Shared) and templates into the new Panorama using "load config partial mode merge".  This would be preferred because moving all the config locally can make it difficult to move partial Network and Device configuration to Panorama.
  2. It can definitely be phased over 1 NGFW at a time.  If you are using template variables, make sure you manually configure those after the NGFWs are moved to Panorama.

Expedition makes some things easier, but it does take time to install and learn.  Unless you have a LOT of objects, I probably would not.  Instead, I would do the following:

 

  1. As much as possible, I would change the object names on the old to match the new.  Definitely have Automated Commit Recovery enabled before you do this.  Make sure the device group and template names are different!
  2. Rename your zones on the old Panorama to match the new.  This is tricky.  After the rename, create the old zones again in the templates so that the push does not fail on the managed device.  After the push is successful, delete the old zones.
  3. Rename your shared objects before the migration.  It will be easier to standardize the names before the migration because you can just rename and not have to swap objects inside the policies.  Otherwise, Expedition makes the rename/swap easier.
  4. When you migrate a NGFW, aim for a like-for-like configuration.  Don't adjust the templates or device groups on the new Panorama until all the devices are moved.

Thanks,

 

Tom

Rate this article:
Comments
Cyber Elite
Cyber Elite

Thanks @JayGolf !

 

Check out the post in the link above or below.  @securehops has posted 5 "load config partial" commands that we used!

 

https://live.paloaltonetworks.com/t5/general-topics/move-firewall-to-new-panorama/m-p/539747

 

Thanks,

 

Tom

  • 1776 Views
  • 1 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎12-26-2023 09:06 AM
Updated by: