03-10-2023 02:41 AM
Hi,
We have a FW HA pair which we want to put under Panorama's management.
However, this pair will have to undergo interfaces editing in a few weeks - putting individual interfaces in aggregate interfaces.
If there was no Panorama, I would have edited the FW settings via CLI, commited, and it would have got replicated to the other FW.
I have some experience with Panorama and FW HA management. The templates of each node would be placed under the same template stack.
When working Panorama what I want to do with the interfaces might be more challenging as the settings must be edited on the templates.
My questions are:
• Should I edit each FW template separately, commit to panorama and push to devices? I assume this would be most labor intense but the cleanest. This is very inconvenient and time consuming, of course.
• Is there a way to edit interfaces on the primary FW node, and push it to update Panorama template settings? I assume that not.
• Is it recommended in a case of HA pair to completely remove network management from Panorama?
I'm asking for a good solution.
Than you.
03-10-2023 03:56 AM
Hi @Yevgeny_Libov ,
Here is a good document on migrating a standalone HA pair to Panorama -> https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewal....
There are some best practices that we can learn from it.
Here are a few things to consider:
The Beacon free course Managing Firewalls at Scale has some excellent guidance on the last bullet.
Thanks,
Tom
03-10-2023 07:03 AM - edited 04-21-2023 03:51 AM
Hi @Yevgeny_Libov ,
You wrote "This step adds both device templates under the same template stack." This is incorrect. The step actually adds both devices to different template stacks. Once you are done with the steps in the document, you can actually delete the device group, template, and template stack created by importing the 2nd NGFW (step 7 #2 and #5). At the end of the document, you should have both NGFWs in 1 template stack with 1 template. You do not need separate templates for each NGFW in an HA pair. Unique settings such as management IP or HA link IPs should be (1) managed locally (no config in Panorama), (2) overridden locally, or (3) use template variables. Everything else should be the same.
Correct. The device is associated with the template stack, and not the template.
Thanks,
Tom
03-10-2023 03:56 AM
Hi @Yevgeny_Libov ,
Here is a good document on migrating a standalone HA pair to Panorama -> https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewal....
There are some best practices that we can learn from it.
Here are a few things to consider:
The Beacon free course Managing Firewalls at Scale has some excellent guidance on the last bullet.
Thanks,
Tom
03-10-2023 06:01 AM - edited 03-10-2023 07:15 AM
Hi Tom, many thanks.
I've followed the manual before and an additional manual for adding the HA pair, but haven't followed in the correct order.
I will try to follow this one step by step (and take what is necessary from the one which instructs how to use variables).
I would like to know your opinion on how to manage network settings from Panorama for an HA pair (Active-Passive). I didn't find it in your answer or the guide.
Under STEP 7, section 6: "Select the template stack for the first firewall, add the second firewall, select OK
and Commit to Panorama to add it to the same template stack as the HA peer."
This step adds both device templates under the same template stack.
However, how do I manage the network settings? When I was experimenting with this, when in Panorama I attempted to change network settings under template stack, I have had limited edit options, or it was in a Read Only state.
I had to select the FW template in order to have full edit capability, so here I wander: Should I edit each device template separately?
This doesn't make sense and I'm probably missing something.
About managing the HA from Device Groups when both FW are associated under the the device groups, this works well.
Edit: I think I partly understand what I've been missing:
"Select the template stack for the first firewall, add the second firewall, select OK and Commit to Panorama
I want to understand please: The end result of this is a single template stack with both devices added, and a single template assigned to it, which belongs to one of the devices, right?
03-10-2023 07:03 AM - edited 04-21-2023 03:51 AM
Hi @Yevgeny_Libov ,
You wrote "This step adds both device templates under the same template stack." This is incorrect. The step actually adds both devices to different template stacks. Once you are done with the steps in the document, you can actually delete the device group, template, and template stack created by importing the 2nd NGFW (step 7 #2 and #5). At the end of the document, you should have both NGFWs in 1 template stack with 1 template. You do not need separate templates for each NGFW in an HA pair. Unique settings such as management IP or HA link IPs should be (1) managed locally (no config in Panorama), (2) overridden locally, or (3) use template variables. Everything else should be the same.
Correct. The device is associated with the template stack, and not the template.
Thanks,
Tom
03-10-2023 12:09 PM
Hi Tom,
Yes, you are right. I continued researching this and editing my reply, and between my edits you made this comment.
Thank you for correcting me while I was making my mind 🙂
I will follow up the steps and add the HA to Panorama at the beginning of next week and will report on results.
03-12-2023 10:39 PM
Works like charm. Thanks Tom.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
