failed panorama migration

josggf · ‎10-26-2018

hi

i attempted to migrate an HA pair to Panorama which went bad. I had only pushed to passive and when i tried to make it active, everything went down.

had to make the previously active firewall actve again, and load last save on passive to recover the passive firewall

now, after after disabling panorama setting in firewall>device>setup, i have firewall rules starting from 100, instead of 1, and commit on standby fw fails bunch of "already in use" messages during validation.

it seems the firewall has duplicate rules and objects, only thing is i cant see them to try and delete them!

Any ideas?

Raido_Rattameister · ‎10-26-2018

You can try following

Import active fw to Panorama.

Commit to Panorama.

Export to passive device.

Load device config on passive.

Change any settings that is different in passive (mgmt ip, hostname, HA settings etc)

Commit to firewall.

If successful so far then commit to firewall from Panorama.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

View solution in original post

LukeBullimore · ‎10-26-2018

Hey @josggf

Did you save and export a named config backup from both the active and passive before starting the Panorama work? If so, I would disable Panorama policies, objects, templates etc, load those configs and start from scratch.

If you didn't make any manual backups, your best bet is to revert to a previous configuration version. (Device -> Setup -> Load Configuration Version) and start from scratch.

As for why it failed in the first place; it's hard to say but I would definitely follow the below instructions. It sounds as though there may have been an issue with the device config bundle stage.

https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/tran...

Cheers,

Luke.

josggf · ‎10-26-2018

thanks for responding

i do have save .xml for both firewalls. both on the firewall and on my local pc.

infact, the active firewall is fine, no duplicate rules as well as rule number starts from 1

i was able to restore HA and access to the passive firewall via revert to last saved config

i can attemp again, but the question is, how will it different from last time, is restoring via named config any different than revert to last saved config? as revert to last saved config broguht back the firewall with duplicate rules which i cant see

Raido_Rattameister · ‎10-26-2018

If you import firewall(s() into Panorama do not commit from Panorama.

If something goes bad then it is a struggle.

Disable config sync in firewalls.

Device > High Availability >General

Import config from firewall to Panorama (I guess this part is done already).

Do any changes needed.

Commit to Panorama

Push config to passive firewall.

Panorama > Setup > Operations > Export or push device config bundle

Choose firewall and click Export

Log into firewall cli.

#load device-state

Verify that all rules are in place (if not then just revert to running config to get back to clean state. reboot will do the trick also as pushed config is not committed).

#commit

Perform step on second fw.

Enable config sync in firewalls.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

josggf · ‎10-26-2018

thanks,

this is good info, i will follow this process to commit locally from firewall

but the problem right now is to bring the passive firewall to a normal state, remove duplicate rules, which were pushed from panorama, are hidden in firewall, and cant be removed

failed panorama migration

failed panorama migration

Show your appreciation!