I have some questions about integration between PA firewall and Panorama.
In my scenario, there's one cluster of PA devices and only one Panorama device.
The firewall policies were imported from the cluster into Panorama (Pre-Rules in the Device group).
I performed some changes on policies and pushed them back to the cluster. Until now, everyhting is OK...
After pushing, all policies are greyed out on the firewall (and marked as read only)...
what's happen if the connectivity is down between Panorama and the cluster ?
Can I still add/remove/change policies locally on the firewall itself ???
Once Panorama is UP again, can I import the change made locally to Panorama ??
The rules are greyed out only because they came from Panorama, and to indicate that they can only be modified on Panorama instead of locally on the firewall. Generally you don't want a local firewall admin to override the rules from Panorama.
Once those rules are committed to the firewall, they are part of the configuration. Connectivity to Panorama is not needed to maintain the function of the rules. If you lose connectivitiy to Panorama, the rules stay in place but you won't be able to modify them until Panorama reconnects.
You can still add/remove/change policies on the local firewall itself, but not the rules pushed from Panorama.
Thanks for your answer.
And what about my last question ??
Can I reimport the rules from the device to Panorama ??
Yes. On the firewall, you can disable the Policy and Objects (Device > Setup > Management > "Panorama Settings" section). You'll be given an option to import the Panorama items locally.
My rule of thumb is that I don't make any changes to my firewalls outside of Panorama. I have never had Panorama down outside of Panorama upgrades, so it hasn't been an issue. If I did make changes locally, I would just manually recreate on Panorama. Since you only have 1 cluster, it seems unlikely that Panorama would be down and you needed to make many changes locally. I have found that the import process back into Panorama can be a challenge, especially if there is existing configuration. I believe that duplicate items can get created.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!