04-12-2017 08:00 AM - edited 04-12-2017 08:26 AM
Hi All,
we recently got disconnected from the parent company and I ended up with all the network access and policies that I can't edit, and i'm afraid to touch the disconnect from panorma without asking first...
If I disconnected, will the policies becames local ann I can edit them? or what's the best scenario?
I'm database developer that inherited a user/pass to our firewall/router/vpn and many blocked policies that we need to loosen.. for a PA500
any help is appreciated please.
thanks
Jason
04-12-2017 08:47 AM
you could, just to see where it ends up in the list, but I wouldn't advise performing a commit with it in a production environment. if you're just trying to test the waters, I would impose limits on some level such as limiting source zone/ip to your own. Remember it's a top-down approach, so if you put a generic allow any rule at the top, it means your firewall is effectively not doing anything and will allow all traffic to and from anywhere (though as a safeguard, you are forced to actively choose the ANY option for the destination zone and source zone if that's your aim).
04-12-2017 08:14 AM - edited 04-12-2017 08:17 AM
There are a couple of options.
First (and probably most preferable in your case) is to determine whether the Panorama policies are Pre-Rules or Post-Rules. If they are Post-Rules, you should be able to create your own policies on the local firewall which will effectively override Panorama rules as it's a top-down, first match approach.
If that's not an option, you can indeed prevent Panorama from affecting local policies, at which point you should have the option to import/copy the Panorama policies into the local firewall.
I would advise reading this document before making that decision: https://live.paloaltonetworks.com/t5/Management-Articles/Disable-Panorama-Policy-and-Objects-Disable...
04-12-2017 08:25 AM
Hi and Thanks for stepping in, which option won't drop the netowrk or at least would bring it down for couple of minutes, also which one is revirsable if something went wrong?
I'd think option#1 will be better, but how to tell the post or Pre rules?
04-12-2017 08:27 AM - edited 04-12-2017 08:30 AM
Hi and Thanks for stepping in, which option won't drop the netowrk or at least would bring it down for couple of minutes, also which one is revirsable if something went wrong?
neither should bring the network down. what you are effectively doing is taking away Panorama's ability to dictate policies with the second option, but it's still actually connected and reporting to Panorama as far as I know.
I'd think option#1 will be better, but how to tell the post or Pre rules?
easiest way is to create a local policy. if it shows up at the top, then you can override Panorama as you wish. if it's at the bottom, Panorama will enforce its rules first. And of course it can end up in the middle if Panorama is using both pre and Post rules.
04-12-2017 08:36 AM
Great! can I use that to just create a basic policy to allow all for example?
04-12-2017 08:47 AM
you could, just to see where it ends up in the list, but I wouldn't advise performing a commit with it in a production environment. if you're just trying to test the waters, I would impose limits on some level such as limiting source zone/ip to your own. Remember it's a top-down approach, so if you put a generic allow any rule at the top, it means your firewall is effectively not doing anything and will allow all traffic to and from anywhere (though as a safeguard, you are forced to actively choose the ANY option for the destination zone and source zone if that's your aim).
04-12-2017 11:01 AM
thank you so much, that worked !! it was on the top, I commited and everything worked again, now i'll start to figure out how to play wit the policies
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
