This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Firewall has the IPSec tunnel but Panorama don't. How to fix?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Firewall has the IPSec tunnel but Panorama don't. How to fix?

MINKU2
L0 Member

‎04-04-2024 04:18 PM - edited ‎04-04-2024 04:24 PM

Hi Guys,

We have one of the IPSec tunnel missing on Panorama but it is configured on individual Firewalls (HA pair). The tunnel is up and running. We don't want any downtime on VPN tunnel.

Can I simply add missing IPSec tunnel to Panorama and do just " Commit to Panorama"?

Or is there something else needs to be done?

 

0 Likes Likes
1 REPLY 1

PavelK
Cyber Elite
Cyber Elite

‎04-05-2024 09:27 PM

Hello @MINKU2

 

from your post it looks like you are considering to move IPsec local Firewall configuration to Panorama managed configuration. If this is the case, then there are a few things to consider.

 

You will have to configure IPsec in Panorama's Template, then commit and push it to Firewall. If the IPsec configuration is identical, the local configuration will have precedence, then you will have to override it locally in Firewall to use Panorama's configuration. This will have to be committed to take an effect. During commit the configuration will be replaced that will likely cause IPsec tunnel reset. If you are concerned about down time, then migration from local to Panorama configuration on one to one bases should be performed during a maintenance window.

 

There might be some work arounds to make this transition without down time. For example push from Panorama IPsec configuration with unique names to prevent overriding it locally, then if you are using any routing protocol to shift traffic to new tunnel. This will required more information about your setup and more planning.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 811 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks