This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

failed panorama migration

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

failed panorama migration

Go to solution
josggf
L2 Linker

‎10-26-2018 10:20 AM

hi

i attempted to migrate an HA pair to Panorama which went bad. I had only pushed to passive and when i tried to make it active, everything went down.

had to make the previously active firewall actve again, and load last save on passive to recover the passive firewall

now, after after disabling panorama setting in firewall>device>setup, i have firewall rules starting from 100, instead of 1, and commit on standby fw fails bunch of "already in use" messages during validation.

it seems the firewall has duplicate rules and objects, only thing is i cant see them to try and delete them!

Any ideas?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to josggf

‎10-26-2018 03:14 PM

You can try following

Import active fw to Panorama.

Commit to Panorama.

Export to passive device.

Load device config on passive.

Change any settings that is different in passive (mgmt ip, hostname, HA settings etc)

Commit to firewall.

If successful so far then commit to firewall from Panorama.

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

14 REPLIES 14

Go to solution
LukeBullimore
L5 Sessionator

‎10-26-2018 10:36 AM - edited ‎10-26-2018 10:36 AM

Hey @josggf

 

Did you save and export a named config backup from both the active and passive before starting the Panorama work? If so, I would disable Panorama policies, objects, templates etc, load those configs and start from scratch.

 

If you didn't make any manual backups, your best bet is to revert to a previous configuration version. (Device -> Setup -> Load Configuration Version) and start from scratch.

 

As for why it failed in the first place; it's hard to say but I would definitely follow the below instructions. It sounds as though there may have been an issue with the device config bundle stage.

 

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/tran...

 

Cheers,

Luke.

0 Likes Likes

Go to solution
josggf
L2 Linker
In response to LukeBullimore

‎10-26-2018 10:42 AM

thanks for responding

i do have save .xml for both firewalls. both on the firewall and on my local pc.

infact, the active firewall is fine, no duplicate rules as well as rule number starts from 1

i was able to restore HA and access to the passive firewall via revert to last saved config

i can attemp again, but the question is, how will it different from last time, is restoring via named config any different than revert to last saved config? as revert to last saved config broguht back the firewall with duplicate rules which i cant see

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to josggf

‎10-26-2018 11:25 AM

If you import firewall(s() into Panorama do not commit from Panorama.

If something goes bad then it is a struggle.

 

Disable config sync in firewalls.

Device > High Availability >General

 

Import config from firewall to Panorama (I guess this part is done already).

Do any changes needed.

Commit to Panorama

Push config to passive firewall.

Panorama > Setup > Operations > Export or push device config bundle

Choose firewall and click Export

 

Log into firewall cli.

#load device-state

 

Verify that all rules are in place (if not then just revert to running config to get back to clean state. reboot will do the trick also as pushed config is not committed).

#commit

 

Perform step on second fw.

Enable config sync in firewalls.

 

 

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
josggf
L2 Linker
In response to Raido_Rattameister

‎10-26-2018 11:32 AM

thanks,

this is good info, i will follow this process to commit locally from firewall

 

but the problem right now is to bring the passive firewall to a normal state, remove duplicate rules, which were pushed from panorama, are hidden in firewall, and cant be removed

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to josggf

‎10-26-2018 11:38 AM

What if you disable Panorama in passive firewall.

Device > Setup > Management > Panorama Settings

Disable Panorama Policy and Objects

Disable Device and Network Template

 

Then go to active firewall.

Dashboard > High Availability 

You should be able to syncronize changes from there.

Be sure to push sync changes link from firewall that has correct ruleset 🙂

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
LukeBullimore
L5 Sessionator
In response to Raido_Rattameister

‎10-26-2018 11:41 AM

Hey @Raido_Rattameister

 

When you add HA pair firewalls into Panorama, you need to disable HA config synchronisation during the process.

 

At present it seems @josggf's configuration isn't committable (or by the sounds of it), so won't be able to do the commit to enable config sync 😉

 

I had this exact same problem before - so speaking from past experiences here 😛

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to LukeBullimore

‎10-26-2018 11:45 AM - edited ‎10-26-2018 11:46 AM

Hey @LukeBullimore yeah config sync has to be disabled. I mentioned this in my first post.

But I never again commit first time from Panorama even if it is single firewall. Have seen empty config without any ruleset after commit so it is always safe to load device-state from cli and commit then.

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
LukeBullimore
L5 Sessionator
In response to Raido_Rattameister

‎10-26-2018 12:05 PM

Hey @Raido_Rattameister

 

I thought the purpose of the device config bundle was to intentionally push a blank config, so that you wouldn't get any duplicate issues when trying to push the Panorama config?

 

Are you saying that "Export" option instead of "Push & Commit" for device config bundle, then load device state gets around this?

But then surely Panorama would still be out of sync so when you try to push to device group/template commits will fail due to duplicates etc?

 

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to LukeBullimore

‎10-26-2018 12:14 PM

If you export config from Panorama then you can load it into firewall candicate config using previously mentioned command load device-state.

This will give you capability to verify that whole config is correct before you commit it into firewall.

 

After you commit in firewall it is then safe to commit from Panorama and you don't have issues where your firewall has broken config.

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
josggf
L2 Linker
In response to Raido_Rattameister

‎10-26-2018 01:06 PM

i actually have done that

active firewall, which has the correct ruleset, show all good

Running ConfigSynchronized 

i do still have config-sync disabled, as i think enabling it could cause more problems

 

just looking for a way to fix the passive fw somehow

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to josggf

‎10-26-2018 01:45 PM

Can you try if in current state it allows you to export config from Panorama to firewall and then load device-state from cli?

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
josggf
L2 Linker
In response to Raido_Rattameister

‎10-26-2018 03:05 PM

thanks

 

unfortunately, i removed everything from panorama

 

but from your message, i got this idea

import both firewalls again, and try to export active fw device group to passive fw again. theres a delete on the firewall that happens at this stage right, maybe it will fix things

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to josggf

‎10-26-2018 03:14 PM

You can try following

Import active fw to Panorama.

Commit to Panorama.

Export to passive device.

Load device config on passive.

Change any settings that is different in passive (mgmt ip, hostname, HA settings etc)

Commit to firewall.

If successful so far then commit to firewall from Panorama.

Principal Architect @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
gurjarn
L1 Bithead
In response to Raido_Rattameister

‎01-13-2021 02:56 PM

Hostname, mgmt ip and HA settings are local to FW and must not be pushed from Panorama or edited to be different before pushing.

 

Alternatively, you can remove HA from being pushed via Panorama so HA settings are not pushed (there is a remove HA settings option at the bottom in High Availability in Panorama). Hostname and Mgmt ips are anyways not pushed by panorama.

0 Likes Likes
  • 1 accepted solution
  • 12618 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks