failed panorama migration

thanks for responding

i do have save .xml for both firewalls. both on the firewall and on my local pc.

infact, the active firewall is fine, no duplicate rules as well as rule number starts from 1

i was able to restore HA and access to the passive firewall via revert to last saved config

i can attemp again, but the question is, how will it different from last time, is restoring via named config any different than revert to last saved config? as revert to last saved config broguht back the firewall with duplicate rules which i cant see

If you import firewall(s() into Panorama do not commit from Panorama.

If something goes bad then it is a struggle.

Disable config sync in firewalls.

Device > High Availability >General

Import config from firewall to Panorama (I guess this part is done already).

Do any changes needed.

Commit to Panorama

Push config to passive firewall.

Panorama > Setup > Operations > Export or push device config bundle

Choose firewall and click Export

Log into firewall cli.

#load device-state

Verify that all rules are in place (if not then just revert to running config to get back to clean state. reboot will do the trick also as pushed config is not committed).

#commit

Perform step on second fw.

Enable config sync in firewalls.

thanks,

this is good info, i will follow this process to commit locally from firewall

but the problem right now is to bring the passive firewall to a normal state, remove duplicate rules, which were pushed from panorama, are hidden in firewall, and cant be removed

What if you disable Panorama in passive firewall.

Device > Setup > Management > Panorama Settings

Disable Panorama Policy and Objects

Disable Device and Network Template

Then go to active firewall.

Dashboard > High Availability 

You should be able to syncronize changes from there.

Be sure to push sync changes link from firewall that has correct ruleset :)

Hey @Raido

When you add HA pair firewalls into Panorama, you need to disable HA config synchronisation during the process.

At present it seems @josggf's configuration isn't committable (or by the sounds of it), so won't be able to do the commit to enable config sync ;)

I had this exact same problem before - so speaking from past experiences here :P

Hey @LukeBullimore yeah config sync has to be disabled. I mentioned this in my first post.

But I never again commit first time from Panorama even if it is single firewall. Have seen empty config without any ruleset after commit so it is always safe to load device-state from cli and commit then.

Hey @Raido

I thought the purpose of the device config bundle was to intentionally push a blank config, so that you wouldn't get any duplicate issues when trying to push the Panorama config?

Are you saying that "Export" option instead of "Push & Commit" for device config bundle, then load device state gets around this?

But then surely Panorama would still be out of sync so when you try to push to device group/template commits will fail due to duplicates etc?

If you export config from Panorama then you can load it into firewall candicate config using previously mentioned command load device-state.

This will give you capability to verify that whole config is correct before you commit it into firewall.

After you commit in firewall it is then safe to commit from Panorama and you don't have issues where your firewall has broken config.