Device Config Import into Panorama removes all the objects

Reply
Highlighted
L4 Transporter

Device Config Import into Panorama removes all the objects

We have firewalls in HA and are multi-vsys. I am trying to to get them into Panorama, but as i import the config it removes almost all objects and Panorama device groups only shows shared objects. Any object that was local to to vsys does not show and they are gone completely from firewall. Also for the same reason a push from panorama or local commit fails as objects are missing that are being pointed to by the firewall.  

Highlighted
L7 Applicator

Re: Device Config Import into Panorama removes all the objects

Try it this way:

  1. Import configuration to panorama and check the checkbox for creating shared objects in panorama shared context
  2. If you need to change something in the config, do it now and then do a panorama commit
  3. Export the device state to the firewall. Only export, not export and commit.
  4. Connect to the firewall, go into config mode and enter the command "load device-state". Still no commit.
  5. Push the configuration from panorama to the firewall and check the checkbox for include template values and merge with candidate config.

At least I migrated sucessfully more than 6 clusters this way (Panorama was on PAN-OS 8)

Highlighted
L4 Transporter

Re: Device Config Import into Panorama removes all the objects

Can you elaborate how to do step 3. Do you mean exporting the config locally.

We are on 7.1.9, also would the 1st step import all the objects inindvidual vsys into panorama.

 

Export the device state to the firewall. Only export, not export and commit.

Highlighted
L7 Applicator

Re: Device Config Import into Panorama removes all the objects

Had to check shortly if step 3 already is possible with PAN-OS 7.1.

But according to the admin guide, step 3 can be done (as with PAN-OS 8) here:

Panorama > Setup > Operations and click Export or push device config bundle

 

There (if you go the same way as I described) you have to choose the device and then "push" the device state. (Export was little bit of the wrong word to describe what I meant)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!