How can we manage the Firewalls while Panorama is out of service?

Reply
Highlighted
L1 Bithead

How can we manage the Firewalls while Panorama is out of service?


In a scenario with many groups of firewall's centrally managed by Panorama.
The Panorama is running in a appliance without HA.

What we should do when Panorama is outage by a problem and we have to do any change in the Firewall Policies?

Best Regards,

Marcelo Castro

Highlighted
L7 Applicator

Here's what I would recommend:  

 

1.) use redundant Panoramas so they're both not out of service at the same time.  Or...

2.) only create "post rules" within Panorama.  Then, if Panorama is out of service, you can always connect directly to the firewall and make emergency changes that will override any of the Panorama-pushed post-rules.

Highlighted
L4 Transporter

Agreed. Those pre-rules will put you in a bind every time!

 

Local overrides on other configuration options on the firewall work as great as well if Panorama has no access or is down.

Highlighted
L1 Bithead

@jvalentine
There is no budget to follow suggestion #1.
As I was reading about it we have a lot of work to do. We have so many pre rules to migrate to post rules.


Thanks for this tip.

Cyber Elite

@mmcastr,

If you are comfortable with working with the XML config directly converting your pre-rules to post-rules would be as simple as copy and pasting them into the proper areas. That would be my recommended way of doing this. 

Highlighted
L1 Bithead

I'm not comfortable with XML config yet but I'll study your suggestion.
Thanks for this smart tip @BPry

Highlighted
L3 Networker

Use this with caution.  I would decide how important the rule changes are in the immediate. 

https://live.paloaltonetworks.com/t5/Management-Articles/Disable-Panorama-Policy-and-Objects-Disable...

Once this is done it can be a pain to pull back into Panorama, we have had to do this for a site we were bringing online once and also when a site was no longer able to connect due to ISP changes.  Both times there were unique challenges bringing it back into Panorama.

 

Brian

 

Company note: we chose to run Panorama for configurations as a VM, we maintain a backup copy of it at a DR site incase there is an emergency/failure.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!