This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

configuration change used to be pushed to firewall

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

configuration change used to be pushed to firewall

kevinospf
L3 Networker

‎09-13-2023 09:03 AM - edited ‎09-13-2023 11:39 AM

Hi Configuration change in template/stack used to be pushed to the firewall from panorama. but now after some change(creating new zone etc) made on template is pushed to the firewall, the change cannot be seen at the firewall again. so the configuration not be pushed to the firewall. Palo alto firewall is connected to panorama normally and it shows its in Sync status. Please see the below screenshot. Did I miss some step? Thanks

 

 

kevinospf_0-1694620407770.png

 

0 Likes Likes
8 REPLIES 8

Claw4609
Cyber Elite
Cyber Elite

‎09-13-2023 11:44 AM

On the firewall itself are you seeing the commit job taking place and completely successfully? If so is it possible whatever your are pushing from Panorama has the config overridden on the local firewall?

 

If you look at the template stack, not the template, in Panorama are the changes reflected there fine?

PavelK
Cyber Elite
Cyber Elite

‎09-13-2023 05:42 PM

Hello @kevinospf

 

only to add a few points to @Claw4609 great answer.

 

There should be no issue with pushing a zone to managed Firewall. I would recommend to check that Template is part of Template Stack where Firewall is assigned and also check the order of Template in Template Stack. For overlapping configurations the priority of Templates in Template Stack is from top to bottom.

 

Make sure that local configuration is not overriding Template configuration. KB for reference: Pushed config from Panorama not being applied on the local Firewall.

 

If there is no issue with above points, I would be looking into configuration logs to see what is really happing under: Monitor > Logs > Configuration and for more detailed logs in CLI: tail follow yes mp-log configd.log

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

kevinospf
L3 Networker

‎09-13-2023 06:03 PM - edited ‎09-13-2023 06:07 PM

Thanks for your reply.

No I cannot see it at all. did I miss some steps? 

Looks like some configuration cannot be pushed as the push button is grayed out, while other can be pushed to firewall sometimes.

Are there any rules to control this? 

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎09-13-2023 09:29 PM

Hello @kevinospf

 

thank you for reply.

 

At this point, I would try to remove the problematic configuration from your Template, commit it to Panorama, then add the same configuration, commit it and push it again to managed Firewall. While this is being pushed, I would watch out for this job in managed Firewall from task menu:

PavelK_0-1694665376128.png

Once this completes and desired configuration is not in the place, I would review logs on Panorama and managed Firewall to see in depth what was configured:

 

Panorama: tail follow yes mp-log configd.log
FW: tail follow yes mp-log devsrv.log

 

Regarding your question whether there is any configuration that can't be pushed from Panorama, the short answer is basically everything that is configurable in Device Group and Template can be pushed. There might be some corner cases, but I could not find any documentation that would pointed out to specific configuration that can't be done from Panorama.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

kevinospf
L3 Networker

‎09-18-2023 09:59 AM

@PavelK 

Thanks for your reply. You are right. After test based on what you talked above, I know why some change could not be push via Template.

 

One more question, Pushing template change does not need Device group change, but pushing Device group change to firewalll needs the Template, is this correct? Please see the below screanshot

kevinospf_0-1695056313186.png

 

 

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎09-18-2023 04:39 PM

Hello @kevinospf 

 

thank you for reply.

 

The "Reference Templates" configuration in Device Group is not mandatory. Technically both Device Group and Template stack are independent configurations, however in some scenarios they have dependency on each other. The Reference Templates is used in the case you are pushing Device Group configuration to the Firewall that has no Template Stack assigned. For example you need zones from Template to push policies in Device Group. Could you check this tutorial: Why Would I Need to Create Reference Templates in Device Groups? and documentation Reference Template (Refer to step No.4).

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

kevinospf
L3 Networker

‎09-18-2023 07:03 PM - edited ‎09-18-2023 07:04 PM

@PavelK Thank you PavelK for your answer

You talked as below. I have not understand comletely. I can see and check logs in Dashboad. but it looks like the logs are very brief and simple. Is there detail logs in somewhere else? 

What does that mean? regarding " tail follow yes mp-log configd.log"

 

------------------

Once this completes and desired configuration is not in the place, I would review logs on Panorama and managed Firewall to see in depth what was configured:

 

Panorama: tail follow yes mp-log configd.log
FW: tail follow yes mp-log devsrv.log
0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎09-18-2023 10:30 PM

Hello @kevinospf

 

thank you for reply.

 

To get more detailed log to troubleshoot the issue, you should SSH to Panorama, then issue in CLI this command: tail follow yes mp-log configd.log. From CLI you typically get more information compared to logs in GUI.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1856 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks