- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-15-2018 07:58 AM
Hey Team,
I thought I would share my experiences with adding firewalls into Panorama and receiving the error message in the subject. The scenario is a HA pair with multi-vsys compatibility enabled - and 5 virtual systems. In all cases, adding the Primary/Active firewall to Panorama works perfectly fine; the issue lies with adding the Secondary/Passive firewall after doing the operation "Import device configuration to Panorama" the message "Failed to add imported nodes into Panorama" is shown.
After looking at the confd logs with TAC we can see that its failing because it mentions that the device group names already exist. In step 5.3 in the below documentation, the device group names for the Secondary/Passive firewall have already been prefixed with a character to avoid name duplicates yet the issue still arises.
Upon further investigation from TACs side they gave us a workaround to modify the names of the virtual systems on the Secondary/Passive firewall then proceed once more with the import - this seems to work. As this is of course a workaround and not an actual solution they looked into this further and found that this is actually expected behaviour, but the documentation should be updated to include the below steps which also work - if anyone has ever faced this before let me know but this issue does seem specific to importing HA firewalls with multiple virtual systems so I'm surprised it hasn't been raised before.
1. Import device group from HA peer-1 followed by panorama commit.
2. Export, Push and commit the configuration bundle to HA Peer-1.
3. Delete Device groups from Panorama after Push&Commit to HA Peer-1.
4. Import device group from HA peer-2 followed by panorama commit.
5. Export, Push and commit the configuration bundle to HA Peer-2.
6. Associate HA peer-1 and HA peer-2 into one device group (the one created during HA Peer-2 import)
The steps are also the same and also work if you start with the Secondary/Passive unit and resume "HA-peer-1" is the Passive device.
Thanks,
Luke.
06-12-2020 06:47 AM
This was a great solution to this problem! its crazy this isn't documented! I was running PANOS 9.0.8 on both the firewall (PA-3220) and the Panorama-VM.
I suppose PANW thinks folks are going to start the multi-vsys configuration from Panorama? Like you mentioned, perhaps there aren't enough people facing this issue to rewrite that article.
08-03-2020 04:03 AM
Also me I had this problem, Why the TAC doesn't update the procedure? Also a footnote would be much appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!