Moving between device groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Moving between device groups

L2 Linker

I am looking to move my firewalls from one Panorama (7.0.3) device group to a new device group.  All active policy rules have been cloned over to the new device group from the existing device group, and the objects are all "shared". 

 

Even though all the rules being installed are the same, and being installed on the same set of firewalls, just under a new device group name.  I fear that since there are active NAT rules, and there may be some NAT related issues when the new device group gets applied.

 

Does any one know of any issues when migrating between device groups?

1 accepted solution

Accepted Solutions

Hi

 

Although all objects and policies might be identical, because the firewall is being moved between different device groups the entire previous configuration will get removed and replaced by a new one (replacing the old xml with a new one in essence)

 

This means all objects will be removed and readded and could be assigned a different 'id' by the idmgr process, causing mismatches in existing sessions (each newly added object, zone, rule, ... is assigned an 'id' which is then used by the underlying engines to properly match sessions)

 

It's recommended to perform this task during a maintenance window to minimise impact

 

 

regards

Tom

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

L2 Linker

Here is the response from Palo Alto support -

 

it is suggested to perform the change during a maintenance window since its wiping and rewriting to the firewall.

Hi

 

Although all objects and policies might be identical, because the firewall is being moved between different device groups the entire previous configuration will get removed and replaced by a new one (replacing the old xml with a new one in essence)

 

This means all objects will be removed and readded and could be assigned a different 'id' by the idmgr process, causing mismatches in existing sessions (each newly added object, zone, rule, ... is assigned an 'id' which is then used by the underlying engines to properly match sessions)

 

It's recommended to perform this task during a maintenance window to minimise impact

 

 

regards

Tom

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

after moving device groups and commiting the new device group to the firewalls, no noticable impact to traffic was detected.

I am also planning to do this in coming days.

Seems for you it worked without any issues right?

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 5732 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!