This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Questions about Migrating HA Firewalls to Panorama

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Questions about Migrating HA Firewalls to Panorama

Go to solution
myamane
L0 Member

‎04-26-2021 03:57 PM

I'm working through the documentation to migrate a active/passive HA pair of 3220's to Panorama management and had a few questions (https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/transition-a-firewal...).  

 

1) Before I push the configs to the firewalls, what can I check to make sure I don't accidentally overwrite the management IPs of the firewalls and break connectivity?

 

2) At Step 6.6, if I don't want to use template variables to configure the HA settings and just want to keep that stuff local, what do I do?

 

3) At Step 6.7 when it comes time to push the device group and template stack configs to the firewalls it says to first push to the Passive firewall, but the steps aren't so clear.  For 6.7.1, when it says to Edit Selections do I only select the passive firewall and then continue through to 6.7.4 where the configuration is pushed?  And then 6.7.5 fails over to the passive firewall with it's newly pushed configuration.  And then repeat steps 6.7.1-4 where I Edit the Selection and now select the Old Active (now passive) firewall and push the config to that one? 

 

Any help is appreciated, thanks in advance!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎04-27-2021 05:50 AM

for your 1: if you push configuration from panorama to an already configured firewall, the firewall local config will not be changed. instead a little 'override' icon will appear next to the value.2021-04-27_14-39-43.png

if you click the override to restore it, the panorama values will be added to the fields and you can visually doublecheck if any mistakes were made and then click ok to accept the panorama config, or cancel to revert to device local config. 

make sure you did not enable 'force template values' as else you will force panorama values onto previously configured local config, and select Merge with candidate config. (so do NOT enable force template as instructed in 7.2)

2021-04-27_14-41-59.png

 

2. anything you don't want to include in templates, don't configure in templates. anything you don't configure will be determined by local configuration (or absence thereof)

 

3. that sounds about right. do steps 1-6 (in edit selection, only check the box next to the secondary device), then repeat steps 1-4 (but now select the primary)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Go to solution
reaper
Cyber Elite
Cyber Elite

‎04-27-2021 05:50 AM

for your 1: if you push configuration from panorama to an already configured firewall, the firewall local config will not be changed. instead a little 'override' icon will appear next to the value.2021-04-27_14-39-43.png

if you click the override to restore it, the panorama values will be added to the fields and you can visually doublecheck if any mistakes were made and then click ok to accept the panorama config, or cancel to revert to device local config. 

make sure you did not enable 'force template values' as else you will force panorama values onto previously configured local config, and select Merge with candidate config. (so do NOT enable force template as instructed in 7.2)

2021-04-27_14-41-59.png

 

2. anything you don't want to include in templates, don't configure in templates. anything you don't configure will be determined by local configuration (or absence thereof)

 

3. that sounds about right. do steps 1-6 (in edit selection, only check the box next to the secondary device), then repeat steps 1-4 (but now select the primary)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
myamane
L0 Member
In response to reaper

‎04-27-2021 01:44 PM

Thanks for the quick reply.  So I shouldn't check the "force template values" box in step 7.2 and then afterwards where I want to use the Panorama template values I can use the Override feature wherever I want?

 

If for instance I didn't have a setting configured in the template, and then pushed the config with "force template values" selected, then would the local device retain its original setting or would it go to like a default blank state?

0 Likes Likes
  • 1 accepted solution
  • 2283 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks