01-14-2016 05:59 AM
I am looking to move my firewalls from one Panorama (7.0.3) device group to a new device group. All active policy rules have been cloned over to the new device group from the existing device group, and the objects are all "shared".
Even though all the rules being installed are the same, and being installed on the same set of firewalls, just under a new device group name. I fear that since there are active NAT rules, and there may be some NAT related issues when the new device group gets applied.
Does any one know of any issues when migrating between device groups?
01-18-2016 06:58 AM
Hi
Although all objects and policies might be identical, because the firewall is being moved between different device groups the entire previous configuration will get removed and replaced by a new one (replacing the old xml with a new one in essence)
This means all objects will be removed and readded and could be assigned a different 'id' by the idmgr process, causing mismatches in existing sessions (each newly added object, zone, rule, ... is assigned an 'id' which is then used by the underlying engines to properly match sessions)
It's recommended to perform this task during a maintenance window to minimise impact
regards
Tom
01-18-2016 05:24 AM
Here is the response from Palo Alto support -
it is suggested to perform the change during a maintenance window since its wiping and rewriting to the firewall.
01-18-2016 06:58 AM
Hi
Although all objects and policies might be identical, because the firewall is being moved between different device groups the entire previous configuration will get removed and replaced by a new one (replacing the old xml with a new one in essence)
This means all objects will be removed and readded and could be assigned a different 'id' by the idmgr process, causing mismatches in existing sessions (each newly added object, zone, rule, ... is assigned an 'id' which is then used by the underlying engines to properly match sessions)
It's recommended to perform this task during a maintenance window to minimise impact
regards
Tom
01-21-2016 07:43 AM - edited 03-26-2018 07:55 AM
after moving device groups and commiting the new device group to the firewalls, no noticable impact to traffic was detected.
10-29-2018 12:20 PM
I am also planning to do this in coming days.
Seems for you it worked without any issues right?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
