08-03-2016 08:02 AM
Hi,
I have a pair of PA-3020 in Active/passive in production that will need to be imported within Panorama 7.0.3.
After importing each device config, does anybody knows what will happen while pushing from panorama the device configuration bundle to each firewall...will it break the HA ?
Since panorama policy and objects, device and network templates are not synchronized, Does that is mean i need to recreate all configuration settings at a parent device group level and commit from thi devcie group level only?
Thank you for your help.
Kind regards,
Pierrick,
08-10-2016 03:41 AM
panorama will only identify the cluster, but you should add both members to the same device group and same template, so both devices receive the same configuration from panorama (panorama will identify 2 members are part of a cluster, but configuration still needs to be committed to both devices individually, the cluster will not synch panorama config among themselves)
you should only import one device, so the group and template etc gets created, and them simply add the second device and move it into the same group and template
08-04-2016 01:26 AM
HA configuration is local: Panorama will be able to identify 2 managed firewalls as members of the same HA cluster, but will not interfere
This is true for all [anorama pushed config: as long as you don't explicitly create an override, it will not tamper with the local configuration (eg. if no interfaces are configured in a template, the interfaces will remain untouched, if only eth1/5 is created in a template, only eth1/5 will be changed on the local firewall after a commit all)
if you do push new HA settings from panorama, there may be a short interruption as the AH needs to be reestablished. if you imported the HA configuration but would prefer not to touch it, you can also delete the config from the template
hope this helps
08-10-2016 01:26 AM - edited 08-10-2016 03:43 AM
Hi Reaper,
Thank you for your feedback, it helps a lot, and sorry for later response which i did not notice before.
Just to make sure, once you have imported both nodes and one panorama identified 2 managed firewalls as members of the same HA cluster :
Does that is mean that only one device group and template will be created for both nodes in Active/Passive?
Thank you again for your support.
Pierrick
08-10-2016 03:41 AM
panorama will only identify the cluster, but you should add both members to the same device group and same template, so both devices receive the same configuration from panorama (panorama will identify 2 members are part of a cluster, but configuration still needs to be committed to both devices individually, the cluster will not synch panorama config among themselves)
you should only import one device, so the group and template etc gets created, and them simply add the second device and move it into the same group and template
08-10-2016 03:47 AM
Thank you Reaper for your valuable recommendation.
Kind regards
Pierrick
08-14-2016 02:11 AM
Hi,
Interesting and scary experience this morning,
i have already integrated multiple devices with panorama 7.0.x and use it everyday with no issue.
but this time while trying to integrate the HA and eventhough importing the existing config works perfectly, exporting the bundle config (which is a prerequiste step) simply deleted all policy and objects without pushing back the panorama made policy nor the device template and i had to reload local a backup config!
no error message at all, commit sucessful even locally on the device! but no policy config, anymore! moreover template have not even been enforced, still ocal device config. Case has been open for advanced investigation.
As well i do not believe adding the second device and move it into the same group and template will work since we need first to import and push a bundle config on both devices before to be able to commit a device group entirely...
Will keep the post updated.
Pierrick
08-19-2016 02:34 AM
Hi,
After investigating configd.log It looks like Panorama is experiencing some index issue while trying to apply the bundle
Error: pan_save_devicegroup_config_bundle(pan_cfg_config_import_handler.c:1177): Could not find <vsys> node in device group XXX.
it could explain why it leave the config empty...
Still waiting feedback from Palo Alto on this case....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
