Deploying already existing firewalls

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Deploying already existing firewalls

L1 Bithead

Hi all,


I've been working with Panorama now for just over a month, learning most its concepts slowly but surely. I am now stuck however on the following:


Before we acquired Panorama, we had several clients running PA-220s. After it was announced the 220s were reaching EoL, we replaced most with 410s and 440s. We then acquired Panorama to centralise all deployments. How I did it was to import each client's 220 configs into respective 410/440 replacements, then deploy them to client site. Then from office I would register them to our Panorama, import its config into client-respective device group and templates.

From this point on, it has been really painful getting even one client FW to be in sync with either device group or template. I am having to rename/remove every single object/policy for example for the firewall to accept push, due to conflicting objects.


I think lesson learnt here is that I should've pushed the configs into the firewall via Panorama instead of directly into firewall.


My question, is there any simpler way I can push templates and groups to already deployed firewalls more easily, without having to configure them from scratch and risk removing their running configs?


Many thanks,




Cyber Elite
Cyber Elite

Hi @JaredBaglietto ,


If you are having issues with conflicting objects, you may not have done step 5 in this doc ->  Exporting the Panorama config once to the NGFW right after you import the config is necessary to delete the local polices and objects.  After you do step 5 once, you then push all configs to the devices under the Commit menu.


If you want to overwrite the local network and device configurations with Panorama configs, you should check the box Force Template Values in step 6.





Help the community: Like helpful comments and mark solutions.

Hi @TomYoung,


Thank you very much for that. I've tried the steps provided and I think it's what I'm looking for. Just hitting a few hurdles.


I have to be careful as I seem to be overwriting important network configs and policies that allow me remote access into the firewall. Accidentally kicked myself out of client firewall this past weekend and had to fix their config onsite.


When in step 6 making changes to config, I only end up getting an error such as 'ethernet1/1 is already in use'. Any idea why this may be occurring?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!