07-21-2017 06:24 AM
Transition/migrate HA pair to firewall
I followed those instructions https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-firewalls/migr..., steps from 1 to 7 and successfully migrated 3 HA pairs to Panorama management.
After migration I've got in Panorama 3 device groups and 6 device templates.
In this document https://live.paloaltonetworks.com/t5/Management-Articles/Any-special-considerations-when-importing-H... is written that each firewall has to use its own template (bellow special note). This limitation is annoying and can lead to mistakes. After checking template values I think there is no need for this limitation and I think I could put both firewalls into the same template because relevant values for HA aren't part of the template (e.g. High Availability - General - Preemptive - Device Priority).
Is this correct, or has anyone experience with such deployment (two firewalls and one template) in the production (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-add-a-locally-managed-firewall-to-pa...)?
Regards Milan
07-21-2017 08:04 AM
We already have a lot of such deployments. The dedicated template is only in the migration. After that you're free to change everything you want. You only need dedicated templates when you use them for settings which aren't the same on both firewalls.
In your case it is no problem to use one template for both clustermembers. In my case we use template stacks which contain multiple templates (global settings template, clustersettings template and devicespecific templates for each firewall with settings like mgmt ip, hostname ...)
Just keep in mind that you need to delete the devicespecific values from the import templates and the you could apply this one template to both firewalls of your HA pair.
Hope this helps.
Regards,
Remo
07-21-2017 08:04 AM
We already have a lot of such deployments. The dedicated template is only in the migration. After that you're free to change everything you want. You only need dedicated templates when you use them for settings which aren't the same on both firewalls.
In your case it is no problem to use one template for both clustermembers. In my case we use template stacks which contain multiple templates (global settings template, clustersettings template and devicespecific templates for each firewall with settings like mgmt ip, hostname ...)
Just keep in mind that you need to delete the devicespecific values from the import templates and the you could apply this one template to both firewalls of your HA pair.
Hope this helps.
Regards,
Remo
07-22-2017 12:32 PM
Hi
It helps, thank you for the answer.
During migration dedicated template, after migration one template for both firewalls.
Regards Milan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
