Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Palo Alto 5220-HA connected to Panorama with Templates and Device Groups and to these same Firewalls config and apply VSYSX, vsys2,vys3,vsys4

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto 5220-HA connected to Panorama with Templates and Device Groups and to these same Firewalls config and apply VSYSX, vsys2,vys3,vsys4

L4 Transporter

Hello good evening Live Community, as always thanks for the collaboration and your time.

 

Any of you have had to do the following:

 

Detail Environment/infra: HA 5220 x 8 connected to Panorama with Device Groups and Template Stack.

 

What are you looking to validate and be able to do, generate new Virtual Systems for new traffic on these HA machines that are already productive connected to Panorama.

 

Per license with the base of 10 vsys is enough. Now, have any of you had to deal with something like this? i.e. firewall in HA, connected to Panorama, deploying vsys on them?

 

Does it involve reboots? Does it involve situations or limitations with Panorama and the vsys ? will it be transparent for the current Tempalte and Device Groups ? Is it necessary to do onboarding of the new vsys ? What are the major issues to review, validate and take special care for this environment?

 

These firewalls have a usage of 5 to 10% with luck, so they want to take advantage of the interfaces that are left over and take advantage of the hardware to use vysys and have another 2 or 3 firewalls for each HA.

 

Thank you very much for your comments, tips, details, help, recommendations and above all for your time and good vibes.

 

I remain attentive

 

Best regards

High Sticker
5 REPLIES 5

L4 Transporter

Hello @TomYoung @Raido_Rattameister @aleksandar.astardzhiev @BPry @PavelK @OtakarKlier @Remo 

Sorry for referencing you, but can you help me and give me your point of view with this.

Thanks for your time and collaboration.

Best regards

High Sticker

Cyber Elite
Cyber Elite

Hi @Metgatz ,

 

I see that no one with more experience has jumped it.  I will give you my $.02.  That may be all it is worth.  😀  I hope I don't write anything inaccurate.

 

The 1st question to ask yourself is why do you want to do virtual systems?  My answer is for separate administration, e.g. different people will manage the different virtual systems.  If your goal is traffic segmentation, that can be handled with separate virtual routers, zones, interfaces, and policy rules.

 

Now, have any of you had to deal with something like this?  I imported NGFWs with vsys into Panorama.

 

Does it involve reboots?  No.

 

Does it involve situations or limitations with Panorama and the vsys?  Not that I am aware.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLsWCAW

 

Will it be transparent for the current Template and Device Groups?  Yes.  The templates will remain the same with a vsys options for interfaces, zones, etc.  A new device (vsys2) should show up in Panorama that you can assign to different device groups.

 

Is it necessary to do onboarding of the new vsys?  I don't think so.

 

What are the major issues to review, validate and take special care for this environment?  I did not have any issues with my one customer.  It is useful to know that the commit is done for the whole NGFW.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama-features/device-group-pus...

 

If you go forward, please post how it goes!

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello @TomYoung , thanks for taking the time to reply.

 

Any information is appreciated, thank you very much for collaborating.

 

The TAC told me the following as a summary to perform.

 

As in this case the Firewalls are already currently in Panorama, it is not something from scratch, but Firewall 52XX that are already in Panorama, with its Template/Template Stack 1 per HA and a Device Group for each HA of firewalls. They, the TAC, told me the following steps at a general level:

 

1.- Remove the Panorama firewalls and leave everything local.


2.- Enable Multy-vsys on both HA teams. Computers occur so keep an eye out for them.


3.- In point 3, this is where they did not know how to accurately answer my questions in the TAC:
Once you leave everything local and already enable Multy-vsys, when doing a new onboarding/re-onboarding, which is recommended to use ? the same Template/Template-Stack, and from the Template add new vsys ? or generate in the HA, Local, that is, disconnected from Panorama, generate the new vsys disconnected from Panorama, that is, create the vsys2, vsys3, vsys4 and then do onboarding and use that "new template" with the new vsysx? Or it is better just to enable multy-vsys in the firewalls, use the same template/template that you already had for the HA and from Panorama in the template add the new vsys2, vsys3 or vsys4.

 

4.- The point of the Device Groups, if that is much clearer to me, that is, the default Device Group vsys1, with the current Device Groups and already for vsys2, vsys3 and vsys4, I can go generate a DG for each vsys2 and manage them individually.

Point 3 is where I have the most confusion. I don't know if something similar has touched you or you have any Light or comments regarding that point 3.

 

Thank you very much for your time and valuable collaboration.

 

Greetings and attentive to your comments.

High Sticker

Cyber Elite
Cyber Elite

Hi @Metgatz ,

 

Did they give you a reason why you needed to move everything locally?  I know how to make everything local and bring it back to Panorama, but that is a lot of work which seems unnecessary.

 

To answer question 3, any time that you add a NGFW as a managed device in Panorama, always use the template and device group created during the import to make sure you get all of the config.

 

I would try my steps with 1 HA pair and see how it works.  It looks SO much simpler and straightforward.

 

  1. Create the new vsys in Panorama.  Push it to the NGFW.
  2. Add the zones, interfaces, etc. to the new vsys in the existing template.
  3. Create a new device group for the new HA vsys devices.

I would like to know if that works.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello @TomYoung , thank you for your comments, collaboration and time. That's what I asked TAC, even others on Reddit forums comment me that to remove it from Panorama. No concrete, precise and consistent reason for leaving them local, no one has given any explanation, no one has given a concrete reason for leaving them local and reintegrating them. 

 

That I should remove those of Panorama the HA from the firewalls to enable multy-vsys and it was the same thing that I stressed and confirmed the TAC, at that point. That was his textual answer. I explained and commented the same detailed context that I put in the Live, i.e. firewalls currently connected to Panorama with their Device Groups and Template/Template-Stack by HA and that we must add multy-vsys to those. His exact answer was:

________________

Hello...

Thank you for your response.

You can follow the steps mentioned below:

1.- Remove from Panorama, i.e. move everything to Local, move everything to local the firewalls in HA.
2.- Enable Multy-vsys in each HA Firewall.
3.- Add the necessary vsys.
4.- Upload again to Panorama with each Device Groups for each Vsys ( Including the Default vsys1 and the rest of vsys2,3,4,X etc etc... ).
5. You can use the same template.

If you face any validation errors while adding the firewalls, you can follow the steps mentioned in the below article.

Migrate a Multi-vSYS enabled Firewall HA Pair to Panorama Management
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmM0CAK

__________________

 

That is why I am commenting about removing and enabling it disconnected from Panorama and my big doubt that at the time of the Onboarding or Re-onboarding of the equipment use the same Template/Template Stack and enable after having the Firewall again in Panorama, the new vsys and then push the configurations or the other option to enable the vsys, with the firewall disconnected from Panorama and at the time of the reonboarding, use the new Template that will have I imagine the new vsys2, vsys3 or whatever you add.

 

But now for what you say, if you can do everything, without taking out of Panorama, then this would be much, much better.

 

Thank you for your time, I remain attentive to your comments.

 

Regards

High Sticker
  • 1999 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!