What is the best way to import a device state to an old device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What is the best way to import a device state to an old device

L2 Linker

Recently we faced an issue with one of the firewalls so we thought to replace with a spare one. we took the device state backup and imported it into the Spared firewall. It was running the same OS and same hardware. But It was NOT factory reset, it has the configuration and we didn't do it factor reset and uploaded the device state backup. but then we saw multiple commit errors. I don't understand why? Because after importing a new device state it should overwrite all the config on the spared device but it is throwing commit error related to its existing config.

 

Just wanted to understand why that happened? Does the device state not overwrite after uploading a new device state to the spared firewall or it must be factory reset before uploading any device state? Please provide your expert views.

1 accepted solution

Accepted Solutions

No, no errors, why not revert changes then remove the device from Panorama in Device\Settings\Panorama Settings\Disable Panorama Policy and Objects, commit, then apply snapshot

View solution in original post

8 REPLIES 8

L7 Applicator

That's what i normally do when i bring a spare box from QA into production...

 

do you have the required licenses on the new device.

 

perhaps a  screen shot of some of the errors may help...

Yes, all devices are licensed with active support. I do get commit errors of the config related to zone names, different profiles names, etc as the firewall had existing configuration in it but it should be wiped out after uploading the new device state and only new config should show.

Do you not see any issue related to commit after uploading the device state of prod firewall to your QA firewall?

I have another difference here is the firewall had security policies pushed from Panorama

No, no errors, why not revert changes then remove the device from Panorama in Device\Settings\Panorama Settings\Disable Panorama Policy and Objects, commit, then apply snapshot

I have a firewall that is in QA and being managed through Panorama. 

I have another set of firewalls in Prod and I have to use QA firewall to Prod in case of any issue and manage it locally.

I couldn't understand what revert changes mean. My steps are as follows:

1. connect QA fw and disable Panorama Policy and Objects, commit, 

2. upload Prod firewall device state to QA firewall and disable Panorama Policy and Objects and import it and commit.

 

Pls, let me know what revert changes you were referring to. Thank you!

 

i was referring to the revert option in the top RH corner under config. it was only to use if the commit had failed. (to put the FW back to QA) and start again..

 

I used the snapshot option from prod to QA, have you tried that....

 

 

No, I didn't try the snapshot option because the snapshot doesn't have a panorama pushed policy, it does have only running-config of the firewall. I use device state as it contains panorama pushes policy also. 

Is there any way to get Palo alto configuration which includes firewall configuration directly done from the device and object and policy rules pushed from the panorama?

Or any way to get a configuration for e.g. policy and object for a particular device-group from Panorama?

you could take a snapshot of prod firewall and import to QA, then join QA to panorama and add to same device group to push policies out.

 

or

 

remove prd firewall from panorama and keep policies.  do not commit but just save the configuration to file.  then revert the change and export the file for QA.

  • 1 accepted solution
  • 4831 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!