01-09-2023 02:34 PM
We are working on configuring Panorama and currently already have 3 firewall HA pairs. We have 4000+ address objects in one of our firewall pairs. Is there a way to import these into Panorama to then push to the other 2 firewall pairs post integration? It would be great to not have to add 4000 address objects to the other two firewalls.
01-09-2023 03:04 PM
Hello @MDroyKT
thanks for the post!
The scenario you described is possible. Below are 2 KB articles that include information to import configuration and then push it back to the Firewall as Panorama managed configuration. Both KBs are a bit dated, however the concept remains the same.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZSCA0
Regarding pushing Device Group objects from imported configuration, I would advised to perform following steps.
1.) During import of configuration into Panorama, create a Device Group that is position in the Device Group hierarchy that is not device specific, but is logically position to be meant as shared for multiple Firewalls for example based on function of Firewalls or location.
2.) After you complete the import and push the configuration back in step no.1, you can add 2 remaining Firewalls to the same Device Group. If you manage to add them to the same Device Group, the configuration can be shared to them by pushing configuration from Panorama.
Kind Regards
Pavel
01-10-2023 07:35 AM - edited 01-10-2023 07:36 AM
Hi @MDroyKT,
Here are the steps to add an HA pair to Panorama -> https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewal....
It includes some of the pointers that @PavelK made. You put the HA pair in the same DG and templates. Notice that config sync is okay to be enabled afterwards for local changes, just not during the import process. Config sync does not apply to configs pushed from Panorama.
There are a couple of important steps to understand:
Thanks,
Tom
03-03-2023 11:25 AM
Hi @MDroyKT ,
Yes, there is a way to do this. If you checked the box "Import devices's shared objects into Panorama's shared context" during the config import, then your objects will already be in the Shared device group and will be pushed out to all NGFWs. Another item to note is that the Panorama > Setup > Management > Panorama Settings > "Share Unused Address and Service Objects with Devices" should be checked to share unused objects. If not, the objects will be pushed once they are used.
If you did not do that, you can shift-click the object line (not check box) and bulk move the objects to Shared. Your policies for the other NGFWs will be in a lower device group and not pushed.
Thanks,
Tom
01-09-2023 03:04 PM
Hello @MDroyKT
thanks for the post!
The scenario you described is possible. Below are 2 KB articles that include information to import configuration and then push it back to the Firewall as Panorama managed configuration. Both KBs are a bit dated, however the concept remains the same.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZSCA0
Regarding pushing Device Group objects from imported configuration, I would advised to perform following steps.
1.) During import of configuration into Panorama, create a Device Group that is position in the Device Group hierarchy that is not device specific, but is logically position to be meant as shared for multiple Firewalls for example based on function of Firewalls or location.
2.) After you complete the import and push the configuration back in step no.1, you can add 2 remaining Firewalls to the same Device Group. If you manage to add them to the same Device Group, the configuration can be shared to them by pushing configuration from Panorama.
Kind Regards
Pavel
01-10-2023 07:07 AM
Thank you very much!!
01-10-2023 07:35 AM - edited 01-10-2023 07:36 AM
Hi @MDroyKT,
Here are the steps to add an HA pair to Panorama -> https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewal....
It includes some of the pointers that @PavelK made. You put the HA pair in the same DG and templates. Notice that config sync is okay to be enabled afterwards for local changes, just not during the import process. Config sync does not apply to configs pushed from Panorama.
There are a couple of important steps to understand:
Thanks,
Tom
03-03-2023 10:53 AM
After getting through an authentication configuration issue, I've finally gotten around to formally planning for this firewall migration. Now that I've taken a closer look, it seems like if I do as you mentioned, @PavelK and @TomYoung, I would have to push both the current Objects AND Policies from my main firewall pair to my other two firewall pairs. The problem is, I only want the Objects to be pushed to the other pairs.....
Is there a way to do this?
03-03-2023 11:25 AM
Hi @MDroyKT ,
Yes, there is a way to do this. If you checked the box "Import devices's shared objects into Panorama's shared context" during the config import, then your objects will already be in the Shared device group and will be pushed out to all NGFWs. Another item to note is that the Panorama > Setup > Management > Panorama Settings > "Share Unused Address and Service Objects with Devices" should be checked to share unused objects. If not, the objects will be pushed once they are used.
If you did not do that, you can shift-click the object line (not check box) and bulk move the objects to Shared. Your policies for the other NGFWs will be in a lower device group and not pushed.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
