In a scenario with many groups of firewall's centrally managed by Panorama.
The Panorama is running in a appliance without HA.
What we should do when Panorama is outage by a problem and we have to do any change in the Firewall Policies?
Here's what I would recommend:
1.) use redundant Panoramas so they're both not out of service at the same time. Or...
2.) only create "post rules" within Panorama. Then, if Panorama is out of service, you can always connect directly to the firewall and make emergency changes that will override any of the Panorama-pushed post-rules.
Agreed. Those pre-rules will put you in a bind every time!
Local overrides on other configuration options on the firewall work as great as well if Panorama has no access or is down.
If you are comfortable with working with the XML config directly converting your pre-rules to post-rules would be as simple as copy and pasting them into the proper areas. That would be my recommended way of doing this.
Use this with caution. I would decide how important the rule changes are in the immediate.
Once this is done it can be a pain to pull back into Panorama, we have had to do this for a site we were bringing online once and also when a site was no longer able to connect due to ISP changes. Both times there were unique challenges bringing it back into Panorama.
Company note: we chose to run Panorama for configurations as a VM, we maintain a backup copy of it at a DR site incase there is an emergency/failure.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!