I have a Palo Alto with existing security zones managed via Panorama. I need to add an existing sub-interface to an existing security zone which has been done on Panorama and committed. However, after logging into the firewall node directly the sub-interface does not show it has been assigned to the security zone.
Are templates only used to make firewall nodes aware of zones and assigning interfaces, sub-interfaces to zones has to be done locally on the firewalls?
I've been unable to find any clear documentation on this.
Thanks for the explanation, I guess at some point someone else has changed something locally. It does seem that adding IP objects to groups is not impacted by this as I can see that has been updated locally on the firewall, only assigning a zone to an interface is impacted.
For now, reading up on this, there is an element of risk to this, I don't want to be in a situation where I lose the configuration on the firewall. Strategically this does need to get fixed.
However, for a tactical solution I need to get working asap, would it be ok to manually assign the sub-interface to a zone? Does this only require a save or a local commit as well?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!