I followed the instructions from “Panorama-Device-Migration-Tech_Note-revB.pdf” using the CLI method to capture the configuration of an HA Pair of 5060 running PAN OS 5.0.11 and paste it to the Panorama running PAN OS 6.0. The Migration Checklist states during the cutover process to cutover 1 firewall first. The document states after deleting the Rules, objects etc. on the FW, when committing the configuration to the HA pair, follow the documented HA procedure to minimize network impact. What are they referring to when they say “follow the documented HA procedure? I cannot find anything referencing what they mean. I figure I should leave the passive FW alone and do the Active one first because when doing a commit on the Active FW it usually pushes the configuration to the Passive FW.
But, What impact does the Device Group have when you set the FWs up as an HA pair in the Device Group? Also, when deleting the items from the Active FW, should I also delete them from the Passive FW?
Another approach that I have read is to rename the objects, policies etc. on the Panorama then commit it to the FWs. What does that do to the existing configuration on the FW? Is there now a duplicate configuration with a different set of names? Or does it overwrite the existing configuration?
Lots of questions and scenarios that I cannot find answers to anywhere.
Point-1: We will add devices into Panorama based on their Serial number, and it does not matter from Panorama point of view, whether the devices are standalone or in HA. The panorama will always treat as an individual device. Please follow the mentioned KB article to understand information synchronized in HA pair Information Synchronized in an HA Pair
NOTE: If you use untrust interface of the device as service route, the configuration will be pushed only to active device (assuming policies are configured correctly) because only 1 IP is active at a time for active/passive, even though you have the same IP on both devices. Suggested configuration would be to use management interface itself. Since the management IP address is unique for both devices, you will not have any issues and will prevent extra bandwidth consumption on untrust interface.
Point-2: If you want to merge the panorama pushed config with your PAN FW local config, you should use the option "merge with candidate config". But if you want to override your FW config with Panorama pushed config, then you have to check the option "Force template values".
Hope this helps.
I will give this a try.
Our SE answered my question this morning also. The only addition he made was to Disable Config Sync in the FWs before pushing configuration from Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!