This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Suggestion on Initial Configuration of Palo-Alto

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Suggestion on Initial Configuration of Palo-Alto

Sujanya
L3 Networker

‎09-07-2022 07:41 AM

Hi All,

We would be needing suggestion on the below scenario:

 

We are having an new Palo-Alto firewall connected via management console in our data center which is integrated with Panorama and we have pre-configured the box by pushing the templates available in panorama. Now we are moving the box to the  location and mounting it and planning to perform initial configurations by connecting the firewall to the actual network. Our client suggested to upload the DAy-1 configuration  file to the palo-Alto firewall while assigning the mgmt IP to the firewall. 

 

Query is:

1. Is the above condition will works ? If yes, will both our pre-configured configurations and Day-1 configuration will be present in our firewall ?

2. will the day-1 configurations will be local to firewall and if yes,  is there any way to manage it via Panorama. 

0 Likes Likes
3 REPLIES 3

reaper
Cyber Elite
Cyber Elite

‎11-30-2022 01:55 AM

day1 is intended to be the very first config you put on a device so you have a good baseline of preconfigured security profiles and security settings. 

a good way to integrate it into panorama would be to import it and set it as a shared template / shared device group objects so it can permeate into your other firewalls

 

your use case will be somewhat difficult as you already have a config in panorama which will overwrite or ignore the (local) day1 config. if you want to use day1, it is best to also import that into panorama and merge both configurations

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
(1)

TomYoung
Cyber Elite
Cyber Elite

‎11-30-2022 05:18 AM - edited ‎11-30-2022 08:04 AM

Hi @Sujanya ,

 

@reaper is correct that ideally the Day 1 Configuration is for Day 1, but it is good to try to add them later rather than never.

 

If you load the Day 1 Configuration on the NGFW and then add it to the appropriate device group and template stack in Panorama:

 

  1. The above configuration will work.
  2. The Day 1 Configuration will be local to the firewall.
    1. If you have duplicate policies or objects, you will get an error.  This is unlikely unless you have configured some Day 1 items before.
    2. Network or device configurations will not be overwritten unless you select Force Template Values.

To manage the Day 1 Config from Panorama, you have a few of options.

 

  1. Import the firewall configuration into separate a separate device group and template (1st URL below).  Messy.
  2. Import the NGFW configuration to Panorama and load config partial the pieces (2nd URL below).  Still messy.
  3. Create a Day 1 Configuration for Panorama.  Maybe messy maybe not.
    1. Import but do not load it.  Do not load the Day 1 Configuration on the NGFW.
    2. Add the Day 1 Configuration device group and template to the candidate configuration via load config partial.
    3. Nest the Day 1 Configuration device group (sample_devicegroup) into your hierarchy and add the Day 1 Configuration template (iron-skillet) to your stack.

Try the commands below at your own risk to see if it adds the Panorama Day 1 Configuration device group and template to your Panorama candidate configuration.

 

load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='sample_devicegroup']  to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group from <day1filename>

 

load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='iron-skillet']  to-xpath /config/devices/entry[@name='localhost.localdomain']/template from <day1filename>

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewal...

 

Thanks,

 

Tom

 

Edit:  With regard to Panorama, loading the Day 1 Configuration for a new Panorama build is ideal.  It also includes modifications to the "shared" device group and items under the Panorama tab in addition to the device group and templates referenced above.

Help the community: Like helpful comments and mark solutions.
(1)

Sujanya
L3 Networker

‎12-02-2022 02:08 AM

Hi @reaper  /@TomYoung ,


Thanks for the clear explanation. I will follow the same.

  • 2017 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks