01-27-2022 05:20 PM
Hi All,
All our PA is managed by Panorama and there are a couple of HA pairs in our environment. we just want to change one of the HA pair to standalone.
Currently our set up is active passive. We would like change to standalone on both device. Is there any steps to make this happen?
Thanks !!
01-29-2022 10:00 AM
Hello
So, the FWs' configurations are pushed down by the Panorama to both FWs. So each FW has an exact copy of the configuration (minus mgmt IPs, hostname, and HA configurations).
The steps I would take, is to log onto both FWs, go to Device Tab, and remove where the Panorama mgmt IP is located at.
Uncheck the "Enable Panorama device group" and "enable panorama template" and be VERY certain, to read the warning message, to ensure you IMPORT the Panorama FW configs onto the local FWs configuration. If you do not, you will have zero config on the FWs.
Ok, so now that you have broken/take Panorama out of the equation, you will now have 2 FWs that are still in HA and both have the exact same IP configuration for the interfaces. You need to break/remove HA, but also be sure to change the IP configuratations, so that you do not have 2 FWs with same public/private IPs (dupe IPs are not good in a network)
After that, you should have standalone FWs.
You may want to unplug all dataplane cables on the backup/standby FW, while you are committing, so that the active/primary FW continue to route the traffic, and then you reduce possible fighting over the IPs, while you are configuring/change the standby into standalone mode.
01-29-2022 10:00 AM
Hello
So, the FWs' configurations are pushed down by the Panorama to both FWs. So each FW has an exact copy of the configuration (minus mgmt IPs, hostname, and HA configurations).
The steps I would take, is to log onto both FWs, go to Device Tab, and remove where the Panorama mgmt IP is located at.
Uncheck the "Enable Panorama device group" and "enable panorama template" and be VERY certain, to read the warning message, to ensure you IMPORT the Panorama FW configs onto the local FWs configuration. If you do not, you will have zero config on the FWs.
Ok, so now that you have broken/take Panorama out of the equation, you will now have 2 FWs that are still in HA and both have the exact same IP configuration for the interfaces. You need to break/remove HA, but also be sure to change the IP configuratations, so that you do not have 2 FWs with same public/private IPs (dupe IPs are not good in a network)
After that, you should have standalone FWs.
You may want to unplug all dataplane cables on the backup/standby FW, while you are committing, so that the active/primary FW continue to route the traffic, and then you reduce possible fighting over the IPs, while you are configuring/change the standby into standalone mode.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
