12-07-2016 06:28 AM
Hi All
i would like to seek and advice from you all regarding the palo alto firewall and panorama integration
we have deployed 2 pair palo alto firewalls 1 pair in DC A and 1 pair in DC B.
now we want to deploy the panorama so for the common rule we can use panorama to create and push the common rule to both DC
kindly your advice how to do it. what i know so far
1\ on each fw add the panorama ip address
2\ on panorama add the serial number of the palo alto firewall
untill this parts i quite understand but i still not really sure about the
template, device group etc, do we need to import fw configuration into the panorama?
kindly advice for the steps required to achieve the requirement
Thanks
12-08-2016 12:43 AM
After adding the device in panorama, you can start pushing new config from panorama.
If you wish to import the existing device config in panorama, then you may refer below KB:-
Check out our PANCast Channel
12-08-2016 01:20 AM
Hi poagrawal
thanks for your reply. i dont have any issue for add palo alto fw to panorama. as i mentioned i'm not quite sure about the template and device group after adding the fw to panorama
as per my understanding we need to create device group and template . kindlly your advice more on this
If you wish to import the existing device config in panorama, then you may refer below KB:-
-> actually do really need to import the palo alto config to panorama since currenlty my palo alto fw up and running.
if we not import it, based on my test i will cause the commit failed if i use the same object when i creating policy from panormana. so may i know what is the correct procedure for palo alto fw and panorama integration
12-08-2016 05:50 AM
This link will help you understand the basics of device groups and templates; there really isn't any advice to give you unless you have a more specific question. You will need to setup device groups and device templates however your enviroment needs them.
12-08-2016 12:15 PM
Hi Indram,
Is safe to add the firewalls to panorama, the default settings will be only for communication between both Panorama-Managed firewalls, Panorama place newly added firewalls to a default group and does not Apply any settings as long as you don't add them to a specific group.
12-09-2016 02:13 AM
This is what i think should be followed.
On Panormana create standard template.
Login to fw locally , assign mgmt IP , assign panorama IP , deletes exixting security policy , VR, zones,interfaces commit changes.
Add FW in panormana once you see it connected push standard template config to fw.
Once template is pushed. commit device group config.
12-14-2016 12:07 AM
Hi,
I would suugest you to go through Panorama Admin guide to understand Device Group and Template in detail.
But never delete existing security policies on PA firewall and commit locally. All tarrfic will get denied as you have no policies on PA firewall to allow it.
If you are running latest verion of PAN OS like 7.X.X , you can import all configuration of PA firewall on Panorama and in future you can manage all configuration of firewall from Panorama.
I hope this finds you well.
Best Reagrds,
Fozail
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
