palo alto and panorama integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

palo alto and panorama integration

L0 Member

Hi All

 

i would like to seek and advice from you all regarding the palo alto firewall and panorama integration

we have deployed 2 pair palo alto firewalls 1 pair in DC A and 1 pair in DC B.

 

now we want to deploy the panorama so for the common rule we can use panorama to create and push the common rule  to both DC

 

kindly your advice how to do it. what i know so far

 

1\ on each fw add the panorama ip address

2\ on panorama add the serial number of the palo alto firewall

 

untill this parts i quite understand but i still not really sure about the 

template, device group etc, do we need to import fw configuration into the panorama?

 

kindly advice for the steps required to achieve the requirement

 

 

Thanks

 

 

6 REPLIES 6

L3 Networker

https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/manage-firewalls/add-...

After adding the device in panorama, you can start pushing new config from panorama.

 

If you wish to import the existing device config in panorama, then you may refer below KB:-

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/panorama-features/firewall...

Best Effort Contributor

Check out our PANCast Channel

Hi poagrawal

 

thanks for your reply. i dont have any issue for add palo alto fw to panorama. as i mentioned i'm not quite sure about the template and device group after adding the fw to panorama

 

as per my understanding we need to create device group and template . kindlly your advice more on this

 

If you wish to import the existing device config in panorama, then you may refer below KB:-

-> actually do really need to import the palo alto config to panorama since currenlty my palo alto fw up and running.

 

if we not import it, based on my test i will cause the commit failed if i use the same object when i creating policy from panormana. so may i know what is the correct procedure for palo alto fw and panorama integration

This link will help you understand the basics of device groups and templates; there really isn't any advice to give you unless you have a more specific question. You will need to setup device groups and device templates however your enviroment needs them. 

Hi Indram,

 

Is safe to add the firewalls to panorama, the default settings will be only for communication between both Panorama-Managed firewalls, Panorama place newly added firewalls to a default group and does not Apply any settings as long as you don't add them to a specific group.

This is what i think should be followed.

On Panormana create standard template.

Login to fw locally , assign mgmt IP , assign panorama IP , deletes exixting security policy , VR, zones,interfaces commit changes.

Add FW in panormana once you see it connected push standard template config to fw.

Once template is pushed. commit device group config.

 

 

 

 

 

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

Hi,

 

I would suugest you to go through Panorama Admin guide to understand Device Group and Template in detail.

 

But never delete existing security policies on PA firewall and commit locally. All tarrfic will get denied as you have no policies on PA firewall to allow it.

 

If you are running latest verion of PAN OS like 7.X.X , you can import all configuration of PA firewall on Panorama and in future you can manage all configuration of firewall from Panorama.

 

I hope this finds you well.

 

Best Reagrds,

 

Fozail

  • 3016 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!