This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Correct process for adding new firewalls to panorama and then migrating

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Correct process for adding new firewalls to panorama and then migrating

Go to solution
M.Allen
L1 Bithead

‎08-07-2025 12:42 PM

I am migrating 820's to 3410s. What is the correct process for adding the two new palos in HA and pushing the new templates and adding them to a device group.

 

Basic configuration is in place. I have cloned the template I wish to use amended the interface settings and added the 3410s to the new stack.

 

When pushing the template I get the error 

MAllen_0-1754595694198.png

 

I have not yet added the new 3410s to the old 820 device group..

 

Should I do this and then push the template to the new 3410 Palos?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
ozheng
L4 Transporter

‎08-08-2025 03:27 AM

Hello @M.Allen ,

 

I think you will see the reason in this post.
https://live.paloaltonetworks.com/t5/general-articles/demystifying-selective-push-on-panorama/ta-p/1...

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎08-07-2025 07:54 PM

Hello @M.Allen

 

thanks for post!

 

It does not look like that the issue is caused by not having PA-3410 in Device Group. Could you please confirm PAN-OS version running on PA-3410? I can see this issue addressed in PAN-OS 10.2.8 and 11.1.2:

 

PAN-223259

Fixed an issue where selective pushes failed with the error Failed to generate selective push configuration. Unable to retrieve last in-sync configuration for the device, either a push was never done or version is too old. Please try a full push.

 

Also, I have noticed in one post that one LIVEcommunity member reported this being resolved after restart management process in both HA Firewalls.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Go to solution
M.Allen
L1 Bithead
In response to PavelK

‎08-07-2025 08:43 PM - edited ‎08-07-2025 08:52 PM

Thanks for the reply. Version of Palo’s is 11.1.6 h10

These are new Palo’s and never had a push to them before.

0 Likes Likes

Go to solution
ozheng
L4 Transporter

‎08-08-2025 03:27 AM

Hello @M.Allen ,

 

I think you will see the reason in this post.
https://live.paloaltonetworks.com/t5/general-articles/demystifying-selective-push-on-panorama/ta-p/1...

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

0 Likes Likes

Go to solution
M.Allen
L1 Bithead
In response to PavelK

‎08-08-2025 03:30 AM

I have restarted the management process on both Palo CLI's and I am still getting the same error. 

Can you confirm that a full push is using the "force template values" button as I am selecting this also.

Panorama is running on 11.1.6 h10 as are both the Palos.

Step 1

MAllen_0-1754648818120.png

 

Step 2

Device groups set to blank as pushing template first..

MAllen_1-1754648893001.png

 

Step 3

MAllen_2-1754648959998.png

Step 4 

Push?

MAllen_3-1754649002841.png

 

Error

MAllen_4-1754649038429.png

 

0 Likes Likes
  • 1 accepted solution
  • 648 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks