Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

moving away from a disconnected panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

moving away from a disconnected panorama

L1 Bithead

Hi All,

we recently got disconnected from the parent company and I ended up with all the network access and policies that I can't edit, and i'm afraid to touch the disconnect from panorma without asking first...

 

If I disconnected, will the policies becames local ann I can edit them?  or what's the best scenario?

 

I'm database developer that inherited a user/pass to our firewall/router/vpn  and many blocked policies that we need to loosen.. for a PA500

 

any help is appreciated please.

 

thanks

Jason

1 accepted solution

Accepted Solutions

you could, just to see where it ends up in the list, but I wouldn't advise performing a commit with it in a production environment. if you're just trying to test the waters, I would impose limits on some level such as limiting source zone/ip to your own. Remember it's a top-down approach, so if you put a generic allow any rule at the top, it means your firewall is effectively not doing anything and will allow all traffic to and from anywhere (though as a safeguard, you are forced to actively choose the ANY option for the destination zone and source zone if that's your aim).

--
CCNA Security, PCNSE7

View solution in original post

6 REPLIES 6

L4 Transporter

There are a couple of options.

 

First (and probably most preferable in your case) is to determine whether the Panorama policies are Pre-Rules or Post-Rules. If they are Post-Rules, you should be able to create your own policies on the local firewall which will effectively override Panorama rules as it's a top-down, first match approach.

 

If that's not an option, you can indeed prevent Panorama from affecting local policies, at which point you should have the option to import/copy the Panorama policies into the local firewall.

 

I would advise reading this document before making that decision: https://live.paloaltonetworks.com/t5/Management-Articles/Disable-Panorama-Policy-and-Objects-Disable...

--
CCNA Security, PCNSE7

Hi and Thanks for stepping in, which option won't drop the netowrk or at least would bring it down for couple of minutes, also which one is revirsable if something went wrong?

 

I'd think option#1 will be better, but how to tell the post or Pre rules?

 


Hi and Thanks for stepping in, which option won't drop the netowrk or at least would bring it down for couple of minutes, also which one is revirsable if something went wrong?

neither should bring the network down. what you are effectively doing is taking away Panorama's ability to dictate policies with the second option, but it's still actually connected and reporting to Panorama as far as I know.

 

I'd think option#1 will be better, but how to tell the post or Pre rules?

 


easiest way is to create a local policy. if it shows up at the top, then you can override Panorama as you wish. if it's at the bottom, Panorama will enforce its rules first. And of course it can end up in the middle if Panorama is using both pre and Post rules.

--
CCNA Security, PCNSE7

Great! can I use that to just create a basic policy to allow all for example?

 

https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/getting-started/set-up-basic-securit...

you could, just to see where it ends up in the list, but I wouldn't advise performing a commit with it in a production environment. if you're just trying to test the waters, I would impose limits on some level such as limiting source zone/ip to your own. Remember it's a top-down approach, so if you put a generic allow any rule at the top, it means your firewall is effectively not doing anything and will allow all traffic to and from anywhere (though as a safeguard, you are forced to actively choose the ANY option for the destination zone and source zone if that's your aim).

--
CCNA Security, PCNSE7

thank you so much, that worked !!  it was on the top, I commited and everything worked again, now i'll start to figure out how to play wit the policies

  • 1 accepted solution
  • 4104 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!