Can you import objects from a firewall into a new Panorama config to then push to all firewalls?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can you import objects from a firewall into a new Panorama config to then push to all firewalls?

L1 Bithead

We are working on configuring Panorama and currently already have 3 firewall HA pairs. We have 4000+ address objects in one of our firewall pairs. Is there a way to import these into Panorama to then push to the other 2 firewall pairs post integration? It would be great to not have to add 4000 address objects to the other two firewalls.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @MDroyKT

 

thanks for the post!

 

The scenario you described is possible. Below are 2 KB articles that include information to import configuration and then push it back to the Firewall as Panorama managed configuration. Both KBs are a bit dated, however the concept remains the same.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZSCA0

 

Regarding pushing Device Group objects from imported configuration, I would advised to perform following steps.

 

1.) During import of configuration into Panorama, create a Device Group that is position in the Device Group hierarchy that is not device specific, but is logically position to be meant as shared for multiple Firewalls for example based on function of Firewalls or location.

2.) After you complete the import and push the configuration back in step no.1, you can add 2 remaining Firewalls to the same Device Group. If you manage to add them to the same Device Group, the configuration can be shared to them by pushing configuration from Panorama.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

Cyber Elite
Cyber Elite

Hi @MDroyKT,

 

Here are the steps to add an HA pair to Panorama -> https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewal....

 

It includes some of the pointers that @PavelK made.  You put the HA pair in the same DG and templates.  Notice that config sync is okay to be enabled afterwards for local changes, just not during the import process.  Config sync does not apply to configs pushed from Panorama.

 

There are a couple of important steps to understand:

 

  1. You must "Export or push device config bundle" (step 6, 5) for the 1st push to the NGFW.  This step actually removes the local Policies and Objects configuration.
  2. If you want the Network and Device configuration managed by Panorama, you must select "Force Template Values" (step 8, 2) in order to override the local configuration.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello @MDroyKT

 

thanks for the post!

 

The scenario you described is possible. Below are 2 KB articles that include information to import configuration and then push it back to the Firewall as Panorama managed configuration. Both KBs are a bit dated, however the concept remains the same.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZSCA0

 

Regarding pushing Device Group objects from imported configuration, I would advised to perform following steps.

 

1.) During import of configuration into Panorama, create a Device Group that is position in the Device Group hierarchy that is not device specific, but is logically position to be meant as shared for multiple Firewalls for example based on function of Firewalls or location.

2.) After you complete the import and push the configuration back in step no.1, you can add 2 remaining Firewalls to the same Device Group. If you manage to add them to the same Device Group, the configuration can be shared to them by pushing configuration from Panorama.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thank you very much!!

Cyber Elite
Cyber Elite

Hi @MDroyKT,

 

Here are the steps to add an HA pair to Panorama -> https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewal....

 

It includes some of the pointers that @PavelK made.  You put the HA pair in the same DG and templates.  Notice that config sync is okay to be enabled afterwards for local changes, just not during the import process.  Config sync does not apply to configs pushed from Panorama.

 

There are a couple of important steps to understand:

 

  1. You must "Export or push device config bundle" (step 6, 5) for the 1st push to the NGFW.  This step actually removes the local Policies and Objects configuration.
  2. If you want the Network and Device configuration managed by Panorama, you must select "Force Template Values" (step 8, 2) in order to override the local configuration.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thank you!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!