I'm in the process of setting up our new firewalls. I went ahead and set up management on each of them, got them updated, got them paired up into Active/Passive, and am now following the Palo Alto 8.1 guide to migrate an HA config over to Panorama. I'm almost to the end but I have a question concerning the templates. The instructions say to delete the template for the secondary and then add the secondary into the template for the primary, but it also says:
"Do not combine the HA firewall pair in to a single template if a unique Hostname, management IP address, or HA configuration is configured for each HA peer."
I find this a little confusing since everything I've read indicates that each unit in the A/P pair still has to have unique management IP, hostname, etc.
The guide I'm following is here:
Can anyone clue me in on what best practices is here? My intention was to have a single config with A/P so I don't have to duplicate VPN changes on a second template. The instructions say to turn config sync back on at the end too so it sounds like it is supposed to use a single template but then wouldn't that mean the passive firewall would be unreachable on its management port, even to Panorama?
I usually setup the hostname, management IP and HA information locally on each firewall then push everything else out from a single template to both firewalls.
I also have 2 templates that I have setup in a template stack. 1 that has basic configurations that I want all firewalls in the environment to have like NTP servers, logging servers, etc. Then I have a specific template for each HA pair in the template stack and push the template stack out to the firewalls. This way you can make sure that the common settings are applied the exact same to all firewalls in the environment but also maintain individual site settings.
Not sure if this is best practice but its how I configured it.
@dstjamesthanks for the reply. That is actually what I ended up trying and it seems to work. Panorama actually has no config information for those fields and they're just defined locally on the firewalls. Since they won't sync even after config sync is re-enabled, they should remain unique on each.
I'm really curious why the instructions are worded like that... it doesn't make it clear if they're talking about management IP/hostname config in the Panorama templtate or the settings on the local configs on the firewalls.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!