Suggestion on Initial Configuration of Palo-Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Suggestion on Initial Configuration of Palo-Alto

L3 Networker

Hi All,

We would be needing suggestion on the below scenario:

 

We are having an new Palo-Alto firewall connected via management console in our data center which is integrated with Panorama and we have pre-configured the box by pushing the templates available in panorama. Now we are moving the box to the  location and mounting it and planning to perform initial configurations by connecting the firewall to the actual network. Our client suggested to upload the DAy-1 configuration  file to the palo-Alto firewall while assigning the mgmt IP to the firewall. 

 

Query is:

1. Is the above condition will works ? If yes, will both our pre-configured configurations and Day-1 configuration will be present in our firewall ?

2. will the day-1 configurations will be local to firewall and if yes,  is there any way to manage it via Panorama. 

3 REPLIES 3

Cyber Elite
Cyber Elite

day1 is intended to be the very first config you put on a device so you have a good baseline of preconfigured security profiles and security settings. 

a good way to integrate it into panorama would be to import it and set it as a shared template / shared device group objects so it can permeate into your other firewalls

 

your use case will be somewhat difficult as you already have a config in panorama which will overwrite or ignore the (local) day1 config. if you want to use day1, it is best to also import that into panorama and merge both configurations

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

Hi @Sujanya ,

 

@reaper is correct that ideally the Day 1 Configuration is for Day 1, but it is good to try to add them later rather than never.

 

If you load the Day 1 Configuration on the NGFW and then add it to the appropriate device group and template stack in Panorama:

 

  1. The above configuration will work.
  2. The Day 1 Configuration will be local to the firewall.
    1. If you have duplicate policies or objects, you will get an error.  This is unlikely unless you have configured some Day 1 items before.
    2. Network or device configurations will not be overwritten unless you select Force Template Values.

To manage the Day 1 Config from Panorama, you have a few of options.

 

  1. Import the firewall configuration into separate a separate device group and template (1st URL below).  Messy.
  2. Import the NGFW configuration to Panorama and load config partial the pieces (2nd URL below).  Still messy.
  3. Create a Day 1 Configuration for Panorama.  Maybe messy maybe not.
    1. Import but do not load it.  Do not load the Day 1 Configuration on the NGFW.
    2. Add the Day 1 Configuration device group and template to the candidate configuration via load config partial.
    3. Nest the Day 1 Configuration device group (sample_devicegroup) into your hierarchy and add the Day 1 Configuration template (iron-skillet) to your stack.

Try the commands below at your own risk to see if it adds the Panorama Day 1 Configuration device group and template to your Panorama candidate configuration.

 

load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='sample_devicegroup']  to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group from <day1filename>

 

load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='iron-skillet']  to-xpath /config/devices/entry[@name='localhost.localdomain']/template from <day1filename>

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewal...

 

Thanks,

 

Tom

 

Edit:  With regard to Panorama, loading the Day 1 Configuration for a new Panorama build is ideal.  It also includes modifications to the "shared" device group and items under the Panorama tab in addition to the device group and templates referenced above.

Help the community: Like helpful comments and mark solutions.

L3 Networker

Hi @reaper  /@TomYoung ,


Thanks for the clear explanation. I will follow the same.

  • 2024 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!