I have two new PA-500 firewalls and want to install it in Active/Passive setup. Right now only the management interfaces are connected. I did the initial setup, updated the software to 6.0.4 and connected both firewalls to Panorama. I did not assign templates and device groups right now.
Now I have a question about the setup in panorama.
As I discovered I have to push the policies and objects to both devices. This should be no problem because all data in policies and objects should be the same for both devices. Is this right?
The harder part is the template which includes the network and device settings. I want to do all configuration via Panorama. Obviously I can't use one template for both devices. Should I use two different templates instead, one for each device? Is there a best practice available for HA pairs?
Is the HA setup with Panorama and two templates the same process which is described in the PAN-OS Administrator’s Guide? Or are there any differences?
Here is the knowledge base article, which explains, what information will be synchronized in an HA Pair :
Panorama treats every device independently, no matter whether they are in HA or standalone. So if, any of the parameters are different for both nodes, then it would be better to have separates for each device.
Hope this helps.
Normally people do not use panorama to configure everything on firewall. So just one template and one device group works for them.
But if you want to configure everything from Panorama than you you have to have two different Templates. With different Template you can also configure management IP addresses.
So, if you configure management IP locally, then rest you can configure with just one Template on both the units.
You have a good handle on how the Panorama template system works. As Hulk and hshah have pointed out these are really designed just to cover the common settings you want to push to all of the firewalls in a group and not all settings.
You do need to be sure you pull full local backups of the individual firewalls in the group to have for disaster recovery. You will restore this configuration first then push the updated policy and template settings from Panorama.
With clusters, most of the settings do sync between the two devices. You can see the details in this document.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!