Duplicate config in panorama managed firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Duplicate config in panorama managed firewall

L1 Bithead

Hi Team,

In my firewall i can 2 configuration at the same time. One i pushed from panorama and one is local that is scyronized from the passive peer. i can see everything is duplicate. How can i remove the duplicate config ( Local config from the firewall and keep the panorama pushed only.

 

Thanks in advance 

2 accepted solutions

Accepted Solutions

 Hi @Mohanlalsaini ,

Let first discuss something fundamental - Templates vs Device Groups:

- Device Groups are used to push objects and policies and security profiles. For example here you define address objecets and use them in security rules. Basically it is defining the firewall security functions

- Templates are used to push device and networking configuration. For example what NTP and DNS should the device use and what IP addresses are assigned on the device.

 

Panorama GUI is trying to help you to remember which settings where are managed by the brackets above the relevant tabs:

Astardzhiev_0-1656508403700.png

 

Now you probably know this already, but it important to mention it, because there is fundamental difference between Templates and Device Groups about how they handel local configuration.

 

- Device Groups - Even without Panorama (local fw config) you cannot have multiple object sharing the same name, or multiple rules/policies using the exact same name. This way firewall will not know who to handle the traffic (which object in which rule is used, or which rule is actually used). You still can create local rules and objects in case of emeregency - for example security engineer with access to panorama is not available, but local network engineer need to allow some traffic to solve user incident/request. The idea here is that your "global policy" pushed by the panorama could explicitly deny some traffic at the top of the policy, so no local rule will be able to be put at the top and bypass the global block rule.

 

- Templates - none of the configuration defined in the template can have multiple values (you can have multiple hostnames, or multiple primary IPs on dataplane interfaces, etc), like with firewall rules. Which means if there is local config and config pushed from Panorama, firewall needs to choose which one to use. Now by default firewall will prefer the local configuration over the one pushed from Panorama. The idea behind this approach is that it is more common for local admin to override these settings. For example your panorama is pushing the IP assigned to the outside interface, but the ISP needs to change it, so the local network admin can override the config from panorama and apply the new IP. Another example is if your global policy define the use of specific NTP, but one specific site has issues and wants to use different one.

 

One way to remove the local config and apply the panorama pushed is to go over each config and click on "revert" button. After that you need to commit locally on the firewall. This way will give you the option to review the configuration before commit, but it could be painful if there is a lot to revert.

The other option would be to push template configuration from panorama, but this time enable "Force Template Values". This will force the firewall to remove any local configuration that is already defined in the template. Thi will not delete any local config that is not part of the template.

Push to Device -> Edit Selection -> enable "Force Template Values"

Astardzhiev_0-1656535625643.png

 

View solution in original post

L1 Bithead

HI Thanks for your replay. The issue is resolved now. We have the device state backup from the firewall (  before the issue). we have import it then issue resolved.

 

 

View solution in original post

3 REPLIES 3

L1 Bithead

and i have the device state of the firewall before this duplicate config happened. Can I import this device state to remove the duplicate config.

 

 

 Hi @Mohanlalsaini ,

Let first discuss something fundamental - Templates vs Device Groups:

- Device Groups are used to push objects and policies and security profiles. For example here you define address objecets and use them in security rules. Basically it is defining the firewall security functions

- Templates are used to push device and networking configuration. For example what NTP and DNS should the device use and what IP addresses are assigned on the device.

 

Panorama GUI is trying to help you to remember which settings where are managed by the brackets above the relevant tabs:

Astardzhiev_0-1656508403700.png

 

Now you probably know this already, but it important to mention it, because there is fundamental difference between Templates and Device Groups about how they handel local configuration.

 

- Device Groups - Even without Panorama (local fw config) you cannot have multiple object sharing the same name, or multiple rules/policies using the exact same name. This way firewall will not know who to handle the traffic (which object in which rule is used, or which rule is actually used). You still can create local rules and objects in case of emeregency - for example security engineer with access to panorama is not available, but local network engineer need to allow some traffic to solve user incident/request. The idea here is that your "global policy" pushed by the panorama could explicitly deny some traffic at the top of the policy, so no local rule will be able to be put at the top and bypass the global block rule.

 

- Templates - none of the configuration defined in the template can have multiple values (you can have multiple hostnames, or multiple primary IPs on dataplane interfaces, etc), like with firewall rules. Which means if there is local config and config pushed from Panorama, firewall needs to choose which one to use. Now by default firewall will prefer the local configuration over the one pushed from Panorama. The idea behind this approach is that it is more common for local admin to override these settings. For example your panorama is pushing the IP assigned to the outside interface, but the ISP needs to change it, so the local network admin can override the config from panorama and apply the new IP. Another example is if your global policy define the use of specific NTP, but one specific site has issues and wants to use different one.

 

One way to remove the local config and apply the panorama pushed is to go over each config and click on "revert" button. After that you need to commit locally on the firewall. This way will give you the option to review the configuration before commit, but it could be painful if there is a lot to revert.

The other option would be to push template configuration from panorama, but this time enable "Force Template Values". This will force the firewall to remove any local configuration that is already defined in the template. Thi will not delete any local config that is not part of the template.

Push to Device -> Edit Selection -> enable "Force Template Values"

Astardzhiev_0-1656535625643.png

 

L1 Bithead

HI Thanks for your replay. The issue is resolved now. We have the device state backup from the firewall (  before the issue). we have import it then issue resolved.

 

 

  • 2 accepted solutions
  • 4331 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!