04-21-2023 02:53 PM
Hi All,
We currently have 2 Panoramas (virtual) managing different firewalls.. We'd like to move all firewalls to 1 pano, so we can retire the other one. What's the best/safest way to accomplish that? Is there a way to avoid having duplicate objects while migrating or would it be a cleanup effort after the fact. It's a mix of standalone firewalls and HA (active/passive) firewalls. These are all in production, so concerned about downtime.
I know there is a process to import standalone firewalls into panorama, but these firewalls are already managed by pano.
12-19-2023 07:56 AM
Hi @securehops ,
Here is the link for "load config partial" again. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbLCAS
Thanks,
Tom
12-19-2023 08:08 AM
Thanks @TomYoung . I do have the link. Sorry, I meant I'm having trouble finding the proper items to import. When I went to <panorama ip>/api, I'm not seeing anything for device groups and templates
12-19-2023 11:04 AM
Hi @securehops ,
In the scenarios in the link, you load the config from a file. The XML API only shows the running-config. You can use the API to get the generic XML Path (XPath), and change the name of the device group or template that exists in the configuration file.
You may need to go through the link again.
Thanks,
Tom
12-19-2023 12:36 PM - edited 12-19-2023 12:37 PM
I was reviewing this article https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-cli-quick-start/use-the-cli/load-configurations...
I guess I thought I would be able to import a partial config and pull in all the device groups and templates that I want to bring in but maybe I need to do them one at a time?
load config partial mode merge from-xpath
load config partial mode merge from-xpath
12-19-2023 12:42 PM
Hi @securehops ,
Exactly. That's what I had in mind. I'm sorry. How many device groups and templates do you have? You could try the load from-xpath with just /device-group/ and /template/ without the /entry/.... That would may also merge the shared device group which may be what you want.
Thanks,
Tom
12-19-2023 12:47 PM
In this Panorama, I have 2 device groups and 4 templates (and 4 template stacks)
12-19-2023 12:51 PM
Thank you. That's not terrible to move them one at a time. Sorry for the misunderstanding.
12-20-2023 10:55 AM - edited 12-20-2023 10:56 AM
hi @TomYoung
Unfortunately, didn't have any luck with this. Kept getting errors Server error : input file doesn't have anything at devices
Spoke with TAC about it, after some review with their resources, they are saying since the two panoramas are managing different firewalls, the only option for the panorama (that we want to get rid of) is convert each firewall to local config and import the full config into the panorama we want to keep
12-20-2023 11:26 AM
Hi @securehops ,
Your from-xpath should be /config/devices/.... The fact that TAC didn't point that out is interesting.
Load config partial can be a pain to learn, but once you do you can save a lot of time. Your scenario is a perfect example. Merging the configuration will be a lot quicker than pushing the config locally for all your devices and importing them. With regard to import, there are a couple gotchas to be aware of.
Thanks,
Tom
12-20-2023 06:07 PM - edited 12-21-2023 05:58 AM
@TomYoung thank you very much for your assistance.
I was able to successfully import all the configuration from the to-be-retired panorama, following these steps
Step 1: Import the serial numbers into panorama
load config partial mode merge from-xpath /config/mgt-config/devices to-xpath /config/mgt-config/devices from exported-panorama-cfg.xml
Step 2: Load shared objects into Panorama
load config partial mode merge from-xpath /config/shared to-xpath /config/shared from exported-panorama-cfg.xml
Step 3: Import the templates into panorama
load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template to-xpath /config/devices/entry[@name='localhost.localdomain']/template from
exported-panorama-cfg.xml
Step 4: Import any template stacks into panorama
load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template-stack to-xpath /config/devices/entry[@name='localhost.localdomain']/template-stack from exported-panorama-cfg.xml
Step 5: Import device groups into panorama
load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group from exported-panorama-cfg.xml
This all imported with no errors. The last step is to point the firewalls to the new panorama, which I will try in early January. I will update the thread with the results
Thx again
01-20-2024 08:02 AM
As promised, I am here with an update. I was able to successfully move firewalls over to the new Panorama. I ran into an issue where the firewalls would show as disconnected on the new Panorama.
I remembered this article, as helpful for similar issues in the past
In this case, I only needed to clear the device state on the new Panorama using CLI command
clear device-status deviceid <device_SN>
Thanks again @TomYoung @JayGolf
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
