configuration change used to be pushed to firewall

Hello @kevinospf

only to add a few points to @Claw4609 great answer.

There should be no issue with pushing a zone to managed Firewall. I would recommend to check that Template is part of Template Stack where Firewall is assigned and also check the order of Template in Template Stack. For overlapping configurations the priority of Templates in Template Stack is from top to bottom.

Make sure that local configuration is not overriding Template configuration. KB for reference: Pushed config from Panorama not being applied on the local Firewall.

If there is no issue with above points, I would be looking into configuration logs to see what is really happing under: Monitor > Logs > Configuration and for more detailed logs in CLI: tail follow yes mp-log configd.log

Kind Regards

Pavel

Thanks for your reply.

No I cannot see it at all. did I miss some steps? 

Looks like some configuration cannot be pushed as the push button is grayed out, while other can be pushed to firewall sometimes.

Are there any rules to control this? 

Hello @kevinospf

thank you for reply.

At this point, I would try to remove the problematic configuration from your Template, commit it to Panorama, then add the same configuration, commit it and push it again to managed Firewall. While this is being pushed, I would watch out for this job in managed Firewall from task menu:

Once this completes and desired configuration is not in the place, I would review logs on Panorama and managed Firewall to see in depth what was configured:

Regarding your question whether there is any configuration that can't be pushed from Panorama, the short answer is basically everything that is configurable in Device Group and Template can be pushed. There might be some corner cases, but I could not find any documentation that would pointed out to specific configuration that can't be done from Panorama.

Kind Regards

Pavel

@PavelK 

Thanks for your reply. You are right. After test based on what you talked above, I know why some change could not be push via Template.

One more question, Pushing template change does not need Device group change, but pushing Device group change to firewalll needs the Template, is this correct? Please see the below screanshot

Hello @kevinospf 

thank you for reply.

The "Reference Templates" configuration in Device Group is not mandatory. Technically both Device Group and Template stack are independent configurations, however in some scenarios they have dependency on each other. The Reference Templates is used in the case you are pushing Device Group configuration to the Firewall that has no Template Stack assigned. For example you need zones from Template to push policies in Device Group. Could you check this tutorial: Why Would I Need to Create Reference Templates in Device Groups? and documentation Reference Template (Refer to step No.4).

Kind Regards

Pavel

@PavelK Thank you PavelK for your answer

You talked as below. I have not understand comletely. I can see and check logs in Dashboad. but it looks like the logs are very brief and simple. Is there detail logs in somewhere else? 

What does that mean? regarding " tail follow yes mp-log configd.log"

------------------

Once this completes and desired configuration is not in the place, I would review logs on Panorama and managed Firewall to see in depth what was configured:

Hello @kevinospf

thank you for reply.

To get more detailed log to troubleshoot the issue, you should SSH to Panorama, then issue in CLI this command: tail follow yes mp-log configd.log. From CLI you typically get more information compared to logs in GUI.

Kind Regards

Pavel