11-02-2020 07:36 PM
Hey folks.
I'm adding a Panorama server into my infrastructure to enable zero touch SDWAN provisioning, and since I've never done Panorama before, I've got a question.
Can panorama managed devices be configured via the CLI?
The reason I ask this is that I do a fair bit of work with AWS and VPC's - and configuring a new VPC into AWS is mostly done via a script that AWS provides which you modify to suit your environment and cut and paste into your firewall via CLI to configure the IPSec tunnels and routing involved.
I *could* go through the script and add the required sections via the GUI - but doing it via CLI is so much easier.
So once I add my firewalls into Panorama, does anyone know if can I still do the configuration via CLI? or will I be forced to transpose everything into the GUI and push it to the firewalls that way?
Thanks for any insight
11-03-2020 05:27 AM
Good Day
For the most part... 99% of what you can do in the GUI can be done in the CLI.
That being said... it is much easier to use the GUI, especially when this product is designed to create "snippets" or templates, as they are called in Panorama. These templates are whatever configuration (limited to Network and Device tabs on FWs). So think about login banner, domain name, dynamic update scheduling, authentication servers, interface management profiles, etc)
In addition, the Panorama also is used for Device Groups (Policy and Object tabs in FWs), so think in terms of shared best practice policies, shared objects, shared content ID profiles, etc.
So yes, it is all possible to do via the command line or API commands if you like.
Thanks for the question. Anything else?
11-03-2020 05:27 AM
Good Day
For the most part... 99% of what you can do in the GUI can be done in the CLI.
That being said... it is much easier to use the GUI, especially when this product is designed to create "snippets" or templates, as they are called in Panorama. These templates are whatever configuration (limited to Network and Device tabs on FWs). So think about login banner, domain name, dynamic update scheduling, authentication servers, interface management profiles, etc)
In addition, the Panorama also is used for Device Groups (Policy and Object tabs in FWs), so think in terms of shared best practice policies, shared objects, shared content ID profiles, etc.
So yes, it is all possible to do via the command line or API commands if you like.
Thanks for the question. Anything else?
02-16-2021 08:40 PM
Wow, sorry for the late reply to this - it seems I either missed the notification of your reply, or it didn't get swent.
Thanks for that - so it seems if I have to do the text based configurations, I can - but will the firewall sync this back to Panorama once it's done?
Can you point me to a Panorama adoption or getting started guide? I've built the server, but I haven't yet imported into it - mainly because I've been too busy, but also because I'm wary of breaking things.
Thanks for your reply!
02-17-2021 04:16 AM
Darren
Thanks for returning to us! We missed you.
I wanted to clarify m y statement, that when a device is under Panorama control, the configuration items I was discussing was ON the Panorama, and then you push your changes to the FW. The FW does not sync it changes to the Panorama, but the other way away... it synchs changes FROM the Panorama.
As for the link.. here it is..
https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama.html
Have a great day.
02-17-2021 08:09 AM
Hi @darren_g
You still can configure firewall that is managed by Panorama, but the config you apply stays locally. It will not sync with Panorama.
In addition when you put Panorama to the equasion you need to start imagine the firewall configuration as to separate parts
- rules, objects and anything related to policies (policy and objects tabs in fw gui)
- network and device config (network and device tabs in the fw gui)
Config under network and device can have only one value, so if you configure something via Panorama, you can override it locally
Config under policy and object can have many values, so any rule created locally will mix with the rules received from the Panorama. But as you can imagine you cannot have two objects or rules with same name, so if you try to configure something locally that is already pushed by panorama the commit will fail.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
