Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-21-2023 02:53 PM
Hi All,
We currently have 2 Panoramas (virtual) managing different firewalls.. We'd like to move all firewalls to 1 pano, so we can retire the other one. What's the best/safest way to accomplish that? Is there a way to avoid having duplicate objects while migrating or would it be a cleanup effort after the fact. It's a mix of standalone firewalls and HA (active/passive) firewalls. These are all in production, so concerned about downtime.
I know there is a process to import standalone firewalls into panorama, but these firewalls are already managed by pano.
04-22-2023 11:51 AM - edited 04-22-2023 01:48 PM
Hi @securehops ,
Thank you for the excellent info. Let me answer your 2 questions 1st:
Expedition makes some things easier, but it does take time to install and learn. Unless you have a LOT of objects, I probably would not. Instead, I would do the following:
Thanks,
Tom
12-20-2023 06:07 PM - edited 12-21-2023 05:58 AM
@TomYoung thank you very much for your assistance.
I was able to successfully import all the configuration from the to-be-retired panorama, following these steps
Step 1: Import the serial numbers into panorama
load config partial mode merge from-xpath /config/mgt-config/devices to-xpath /config/mgt-config/devices from exported-panorama-cfg.xml
Step 2: Load shared objects into Panorama
load config partial mode merge from-xpath /config/shared to-xpath /config/shared from exported-panorama-cfg.xml
Step 3: Import the templates into panorama
load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template to-xpath /config/devices/entry[@name='localhost.localdomain']/template from
exported-panorama-cfg.xml
Step 4: Import any template stacks into panorama
load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template-stack to-xpath /config/devices/entry[@name='localhost.localdomain']/template-stack from exported-panorama-cfg.xml
Step 5: Import device groups into panorama
load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group from exported-panorama-cfg.xml
This all imported with no errors. The last step is to point the firewalls to the new panorama, which I will try in early January. I will update the thread with the results
Thx again
04-21-2023 03:12 PM
Hi @securehops ,
Here is a link to a similar thread answered by our CE @TomYoung . As far as duplicating objects, you can import them into their own device groups and not have them at the shared level.
04-21-2023 06:41 PM
Thanks but I don't see a link.
As far as the duplicates, sure can do that but then you have a device group for every firewall you bring in and then won't have a consistent security policy. Many of the firewalls are all currently in the same device group to have a consistent policy
04-22-2023 03:35 AM
Hi @securehops ,
I think @JayGolf 's point was that keeping them in their own device groups avoids duplicate errors when you import the configuration into Panorama. Before we discuss duplicates, let's talk about how to get the configurations from the old Panorama to the new one. I can think of 2 ways:
Any time that you import configurations into Panorama as opposed to building them from scratch, you will need to do some cleanup/restructuring. Thankfully, the Move button on the bottom of Policies and Objects makes that easier.
We can discuss either option in more detail on this thread.
Thanks,
Tom
04-22-2023 10:36 AM
Hi @TomYoung
Agree completely on @JayGolf point. This was my original thought too but since I'll be bringing a number of firewalls, for each of them to have their own device group (policy set) decided that would not be ideal
I do have some follow up questions but wanted to provide some info on the current environment
On the source side (panorama to be retired/fws to be imported)
On the destination side (main Panorama)
My questions are
I currently do not have expedition, would you recommend using it for this scenario?
Thanks!
04-22-2023 11:51 AM - edited 04-22-2023 01:48 PM
Hi @securehops ,
Thank you for the excellent info. Let me answer your 2 questions 1st:
Expedition makes some things easier, but it does take time to install and learn. Unless you have a LOT of objects, I probably would not. Instead, I would do the following:
Thanks,
Tom
04-22-2023 06:57 PM
Well, this is interesting. https://docs.paloaltonetworks.com/panorama/panorama-interconnect/1-0/panorama-interconnect-admin
Has anyone used Panorama Interconnect? I wonder if @securehops could use it to pull the configs from the old Panorama to the new? I looked through the docs and did not find anything. Once done, you could remove the plugin.
04-22-2023 07:35 PM - edited 04-22-2023 07:42 PM
Firstly, thanks for the info on this. It's very helpful not only for me but also for the entire community.
For the address objects, not a lot, I believe its somewhere between 250 - 300. So that sounds like no real need for Expedition. I've never used it personally, I've only watched the youtube series on it, in the past
I have some follow up questions, based on your reply. I'm a little confused
I think the one area I may have some issues is with the custom URL objects. I'm certain there will be objects there with same name but different values. Will look to match them up prior
Edit: forgot to add that in the old panorama, no template variables are used. So for the firewalls that belong to a single template, the values (such as interface IP addresses) are configured locally with an override
04-23-2023 06:49 AM
Hi @securehops ,
Just to confirm that I'm understanding what you mean here...are you saying if on old pano, I have an object named "Object-A" with IP of 1.1.1.1 and on new Pano, I have an object named "Object-B" with IP 1.1.1.1, I should rename Object-A to Object-B on the old pano first? Yes. If you rename them on the old Pano, all the polices will have matching objects on the new Pano. If you wait to do it after the merge, then you have to go through every rule with Object-B and change it to Object-A. That is, of course, if you want all the objects to be consistent.
Also, are you saying the device group and template names on the old Pano should NOT be the same as they are on the new pano? Yes. I would keep them separate initially so that you have a like-for-like migration. In that way you are reducing the number of changes during the maintenance window. The #1 goal is to move the NGFW and everything work.
Not sure I understand this one, is this different from #1 above? Good catch. It is not different. I was emphasizing that Shared objects are the most important since they will be merged with Shared on the new Pano.
If on the old pano, I have 2 device groups and 4 templates, after the migration, does this mean I'll have 2 additional device groups and 4 additional templates on the new pano? Yes, for the purpose of a like-for-like migration. We don't want to break anything.
If so, after I migrate the FWs into the new pano, can I then safely move those FWs into the one existing device groups that was already on the new pano? Yes. I would standardize device groups and templates after the move. As you know, this will take a lot of work to ensure the configs stay the same.
The goal here is to have all of the firewalls in our current branch office device group. This way all the security policies/decryption/etc policies are consistent. Exactly. You could also consider moving templates also so that you can change something once for all devices. I had to install Panorama in my company after I had a few NGFWs setup. It took some time to import the configurations and move things around. It's done now, and very easy to make changes.
Thanks,
Tom
04-23-2023 11:04 AM - edited 04-23-2023 11:06 AM
Thanks @TomYoung
Appreciate it. If I take care of all the shared objects up front, to make sure they match on old and new panorama , do I still do a partial import or can I just do a full import at that point, since they'll be going into their own DG?
I read through the link you posted about the partial import, but it's not fully clear in my brain how I'd do that. I'm also a little worried about the HA firewalls that need to be added to the new Pano, since even though they are managed by the old Panorama, all of their HA settings are currently locally configured. When I import those FWs into my panorama, I think that config will come too and potentially break
I eventually will want to make use of template variables and have fewer templates. Create some templates for common settings and use template stacks but that can be done as a different phase. For now, I'm okay with having multiple templates, I'm more bothered by multiple device groups. It's easy to clone rules from 1 DG to another, but it's extra effort 🙂
04-23-2023 12:38 PM
Hi @securehops ,
You will not import the NGFW configuration into Panorama at all. You export and import the old Pano configuration onto the new Pano. Do not load it. Reference that file in the "load config partial" command. Basically, you will copy just the device group or template configuration from the old to the new. You can use the API Browser to confirm the XPaths (XML Paths). All the local settings will stay local. We can do a phone call or screen share if needed to further explain.
Don't forget you can use the Move button on the bottom of Policies to move rules.
Thanks,
Tom
04-23-2023 01:58 PM - edited 04-23-2023 01:59 PM
Thanks @TomYoung , I totally missed that part. So really, by importing the Pano config, it very low risk, since once it's added, then I can just add the NGFW serial number to the new panorama, change IP on NGFW to point to new Pano, add to the template/dg and push. Since it's one-for-one, like you've mentioned, should just work fine. I guess the only consideration is once I start the process, I should move the NGFW's over relatively quickly, otherwise I'll have to manually keep them up to date.
I appreciate the offer for screen share call, might take you up on that. In the meantime, I will work on renaming zones, renaming/cleaning up shared objects on old Pano and add any objects that don't exist to new pano
Should it matter that old Pano is 9.1 and new Pano is 10.1?
04-23-2023 02:03 PM
Hi @securehops ,
Yes! That's it.
You don't have to add new objects to the new Pano. The "load config partial" will do that.
I would upgrade your old Pano and NGFWs to 10.1 so that the config is exactly the same. Technically, Pano can manage older versions but sometimes there are errors. Trying to make everything like-for-like reduces errors.
Thanks,
Tom
04-23-2023 03:13 PM
Thank you very much, @TomYoung
New pano is 10.1 (panorama mode) with a mix of 10.1.x and 9.1.x NGFWs (upgrade planned for this year). Old pano is 9.1.x (legacy mode), managing all 9.1.x NGFWs. I think at minimum, I'll try to get that Pano to 10.1 panorama mode first, if possible. I know that location is doesn't have much storage capacity left.
12-19-2023 07:43 AM
Hi @TomYoung ,
Finally ready to test importing the old panorama config into our main panorama but can't seem to figure out how to import only the device group/template configuration. Any pointers?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
