This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Adding a sub-interface to an exsiting Security Zone

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Adding a sub-interface to an exsiting Security Zone

Go to solution
vvadia
L1 Bithead

‎11-10-2018 04:32 AM

Hi,

 

I have a Palo Alto with existing security zones managed via Panorama. I need to add an existing sub-interface to an existing security zone which has been done on Panorama and committed. However, after logging into the firewall node directly the sub-interface does not show it has been assigned to the security zone.

 

Are templates only used to make firewall nodes aware of zones and assigning interfaces, sub-interfaces to zones has to be done locally on the firewalls?

 

I've been unable to find any clear documentation on this.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Remo
L7 Applicator
In response to vvadia

‎11-10-2018 05:53 AM

Hi @vvadia

 

Yes, you can change the zone locally and do a commit. And take the time afterwards to bring the config manually in sync so that you will be able to do the changes again on panorama.

View solution in original post

6 REPLIES 6

Go to solution
Remo
L7 Applicator

‎11-10-2018 04:39 AM

Hi @vvadia

 

Local on the firewall, is there only a green or a green and orange gear showing at the interface that you want to change?

0 Likes Likes

Go to solution
vvadia
L1 Bithead
In response to Remo

‎11-10-2018 04:53 AM

Hi @Remo When I log into the firewall locally, I can see there are green & orange gears in "Interfaces" and in "zones" sections. Kind Regards,
0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to vvadia

‎11-10-2018 05:18 AM

This means the config was changed locally. You need to remove the local config override to bring it again in sync with the panorama config. Then you will be able to configure and also push changes to the firewall from panorama.

0 Likes Likes

Go to solution
vvadia
L1 Bithead
In response to Remo

‎11-10-2018 05:36 AM

Hi @vsys_remo

 

Thanks for the explanation, I guess at some point someone else has changed something locally. It does seem that adding IP objects to groups is not impacted by this as I can see that has been updated locally on the firewall, only assigning a zone to an interface is impacted.

 

For now, reading up on this, there is an element of risk to this, I don't want to be in a situation where I lose the configuration on the firewall. Strategically this does need to get fixed.

 

However, for a tactical solution I need to get working asap, would it be ok to manually assign the sub-interface to a zone? Does this only require a save or a local commit as well?

 

0 Likes Likes

Go to solution
vvadia
L1 Bithead
In response to vvadia

‎11-10-2018 05:44 AM

Actually looking at all the interfaces and sub-interfaces they all have a green/orange cog :s

 

 

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to vvadia

‎11-10-2018 05:53 AM

Hi @vvadia

 

Yes, you can change the zone locally and do a commit. And take the time afterwards to bring the config manually in sync so that you will be able to do the changes again on panorama.

  • 1 accepted solution
  • 6234 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks