This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Optimizing Firewall Onboarding to Panorama: Key Points for Migrated Configurations

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
General Articles
4 min read

Optimizing Firewall Onboarding to Panorama: Key Points for Migrated Configurations

shv
L2 Linker

on ‎02-27-2025 09:39 AM - edited on ‎02-27-2025 09:12 PM by

No ratings

Temp.png

 

Introduction

 

This document outlines key points for efficiently managing firewalls with large migrated configurations and optimizing these rule sets for a smooth onboarding process.

 

Potential Issues Arising from Large Migrated Configurations

 

When Firewall configurations are migrated from other security vendors to PAN-OS, they are most likely to be very large and unoptimized. This can lead to multiple issues in the long run, especially when they are onboarded as a managed firewall on Panorama . These issues include, but are not limited to:

 

  • Configuration Management Challenges: Complex and bloated configurations are harder to manage, troubleshoot, and update.
  • Increased Risk of Errors: The larger the configuration, the higher the chance of introducing errors during migration or subsequent changes.
  • Compliance and Audit Difficulties: Maintaining compliance and passing audits can be more challenging with large, unoptimized configurations.

 

Unoptimized and unorganized config leads to inefficient utilization of resources on Panorama and forfeits the purpose of efficient centralized management.

 

Key Points to Consider While Importing Large Migrated Configurations

 

Before Onboarding

  • Leverage the Device Group Hierarchy and the Template Stack layering capabilities to define a consistent security posture of all the firewalls that will be managed using Panorama.
  • Device Groups and Templates can be empty to begin with and can be filled up as an ongoing process of onboarding.
  • This will enable the sharing of common configurations across multiple firewalls once they have been onboarded.

 

During Onboarding

For firewalls with configurations that exceed Panorama's capacity, temporary local management is still an option. These firewalls can be onboarded into Panorama without associating them with a device group or template stack. This allows for continued local management of the security configuration directly on the firewall using Panorama's Context Switch feature. While the security policy is managed locally, Panorama can still be leveraged for orchestrating other device management functions, including software and content updates, centralized logging, reporting and device health monitoring.

 

The configuration can be imported into Panorama at a later date.

 

After Onboarding

Local Configuration Cleanup

  • Leverage Policy Optimizer to identify unused and shadow rules and chalk out a plan to phase them out.
    • Policies are the biggest contributors to Config Size and optimizing them will help improve the security posture. For example, 1000 policies ~= 2MB.
  • Leverage AIOPs and Config Cleanup on Strata Cloud Manager to identify unused objects and zero-hit objects and policies for config optimization.
    • This requires SCM Pro license and logging to SLS. 
  • Identify and remove redundant pieces of configuration. 
    • Excessively long descriptions: Expedition is known to add long descriptions during config migrations which add to the config size. Remember, 1 character = 1 byte. So, 1000 characters per object for 30000 objects becomes 30MB.
    • Static route summarization: Sometimes, static routes defined in Virtual Router configuration can run into hundreds. They can sometimes be summarized to reduce redundant routes.
    • Review and merge similar rules: The number of rules can sometimes be reduced by merging them together. For example there could be hundreds of rules with the same destination IP and port, but different sources. Merging all these sources into a single rule will help reduce the configuration size.

 

Identify common configuration

  • Identify Shareable Configurations: As you work on your security configuration, identify configuration sets (especially Policies and Objects) that can be applied to multiple firewalls.
  • Move Configurations to Panorama: Transfer these common configurations to the appropriate Device Groups and Templates on the Panorama management platform.
  • Remove Local Configurations: Delete these configurations from the individual firewalls where they were originally stored.
  • Associate Firewalls with Panorama: Connect the firewalls to the relevant Device Groups and Template Stacks on Panorama to inherit the shared configurations.

 

Conclusion

 

By implementing these key points, organizations can effectively onboard and manage firewalls with large, migrated configurations on Panorama. This will lead to improved network performance, reduced management complexity, and enhanced security posture. Remember that regular maintenance and optimization of firewall configurations are crucial for maintaining a robust and agile network defense.

Rate this article:
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
(1)
  • 431 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎02-27-2025 09:12 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks