12-10-2015 06:03 AM
I've inherited an environment where Panorama was an afterthought for 60+ PAN firewalls. Finally convinced management to buy Panorama after we terminated the reason for this mess and had to change passwords on 60+ firewalls individually.
The problem I'm running into is that almost every firewall has different polcies, objects, network profiles and everything else. I can import the device configuration to Panorama, but then I end up with 60+ device groups. Trying to move the devices into a device group and applying the settings fails due to the existing objects.
Whats the best way to handle this? Having 60+ device groups defeats the purpose of central management. I do have the device and network templates working as they should.
12-11-2015 11:02 AM
Hi,
The import is just the initial step of managing your firewalls centrally from Panorama. It's up to you to create the proper device groups. Do you have the exact error message for the existing objects? Do you still have local objects on your firewalls?
Benjamin
12-11-2015 03:47 PM
I feel your pain. I've done a number of conversions from local to Panorama device groups and they are not at all fun and a whole lot of work. But in the end the effort is worth it.
Start with deciding how many groups the 60 devices can be reasonably divided into.
Collect all the common across all group settings.
Create a naming convention so that all objects will be consistently created.
Determine if all policy can be held in the group of if some local policies will be required. And if they are needed then choose the pre or post common rule set model for the group.
I tended to create most objects as global so they could be used across the groups.
Start with a small device and make the naming convention changes and system harminizations. Once ready I used this process to get the devices into Panorama.
I would run these procedures with a lab PA and lab Panorama until the scripts were well honed
create a rollback file for both the device an panorama before starting so there is an easy fallback point
Create the Panorama group
Export the local configuration and create backup snapshots
Import the local configuration as a file to panorama. This will just be used as a source to import objects to global.
Use load config partial [filename] to pull objects from this file into the shared objects in Panorama
object order:
tags
addresses
address groups
services
service groups
custom applications
profiles
profile groups
Security policies
nat policies
application override policies
delete all the local cofiguration objects but do not commit
Add the device to panorama
commit and override from panorama
Schedule the migrations.
12-14-2015 01:09 AM
Pulukas is giving serious hints.
Yet if you don't feel like doing this alone, you should try to contact your PAN sales to get in touch with our Professional Services. They can help you to draft a safe plan with procedures and even execute it.
Thx
12-15-2015 06:39 AM
I recommend getting comfortable with doing large load config partial's of xml configs and using a text editor like notepad ++ to find replace and add something simply to the end or beginning of the object names in order to avoid duplicates.
once you have everything managed by the pan you can delete and/or rename objects, it is also my understanding that newer versions of the migration tool will enable this feature pretty seamlessly. assuming the vm/tool is approved to run on customers network.
on a side note, if the devices dont exist at all in panorama yet, if you have panorama 7.x.x you can import the device under setup and operations and I've had great luck with that. if you have issues committing with this method due to duplicate names you can delete many of the objects locally and leave as a candidate config then when you push from pano make sure you have 'merge with candidate config' checked off.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
