09-19-2023 01:06 PM
Hi.
For the last 10 years, i am in charge of 3 PA devices.
Device #1 (HA Pair of 1410) in the main site.
Device #2 (460) in the DR site.
Device #3 (440) in 2nd DR site.
I have recently purchased Panorama to make it easier to deploy some shared policies and objects (right now I am doing this manually on each).
I have already registered the devices, which are log forwarding to the Panorama.
I have been trying for 5 weeks without success to start the main mission which is the policy deployments.
i did the import from devices, but I have a total mess and the push is not working (a lot of errors regarding profile groups).
I also heard the I will need to clear all devices in order to let Panorama to push them the policy (which will lead to downtime),
Ideas? Help plz...
09-19-2023 03:49 PM - edited 09-19-2023 04:02 PM
Hi @chens ,
Great question! Adding a locally managed NGFW to Panorama is tricky. You have to do it a few times to get used to it. Here are the steps:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS
However, in the long run, it will be worth it because you can change something once and push it to your NGFWs. Here are some pointers:
Try it out!
Thanks,
Tom
09-27-2023 12:43 PM
Exactly!
09-19-2023 03:49 PM - edited 09-19-2023 04:02 PM
Hi @chens ,
Great question! Adding a locally managed NGFW to Panorama is tricky. You have to do it a few times to get used to it. Here are the steps:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS
However, in the long run, it will be worth it because you can change something once and push it to your NGFWs. Here are some pointers:
Try it out!
Thanks,
Tom
09-22-2023 06:53 AM
Thanks for the link, I appreciate you. It is helpful for me.
09-27-2023 09:48 AM
Ok thanks.
Done.
Now i have the managed policy in yellow\orange.
What if the Panorama is not available (since it's on central location), and i need to make urgent policy change or rule disable in the running managed firewall? i saw i can add local rules to policy, but i have no options beside read only on the yellow\orange rules
09-27-2023 11:05 AM
Hi @chens ,
Correct. You cannot edit or override device group configurations (Policies or Objects) on the local NGFW. It is important to know the hierarchy of the rules on the NGFW. https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall...
So, any rules that may block critical traffic should be place in the Panorama post-rules section. Then, any locally created rules will take precedence.
If my original answer solved your problem, please mark it as the solution!
Thanks,
Tom
09-27-2023 11:41 AM
Thanks for the answer.
Still, something doesn't make sense for me.
Our risk management must have a solution in case of Panorama lost.
What if we have a deny rule from the shared DG rules. And we need to bypass it somehow, locally.
To add post rule (local) will not help here.
09-27-2023 12:01 PM
Hi @chens ,
I did not say local post-rule. Any deny rules that may need to be bypassed should be in the Panorama post-rules section. If you look at the URL I posted you will see that local rules come before Panorama post-rules. You will be able to add a local rule that is matched before the deny rule.
Thanks,
Tom
09-27-2023 12:15 PM
This mean i have to re-design all my policy, because i have deny rules per zones. For example deny outbound ldap before allow any.
Sound like very hard mission, this Panorama deployment
09-27-2023 12:23 PM
Hi @chens ,
You do not need to redesign all of your policy. Are your security policy rules in the Panorama pre-rules or post-rules section?
Thanks,
Tom
09-27-2023 12:28 PM
Just import them to as your first answer recommendation . I have import all to pre-rules.
09-27-2023 12:35 PM
Hi @chens ,
Simply use the Move button on the bottom of the page to move your rules to post-rules one rule at a time. You can start at the bottom and then move each rule to the top of the post-rules section. Once you are done, the order on the NGFW will be the same.
In my first answer I recommended moving all the rules to post-rules, but i understand that pre-rules is the default. I usually use pre-rules only for Shared rules which I push out to all NGFWs.
Thanks,
Tom
09-27-2023 12:41 PM
Ok cool.
So once all of them will be in post-rules, i will actually have the option to add local rules that will take place before them?
09-27-2023 12:43 PM
Exactly!
10-27-2023 07:05 AM
Hi @TomYoung
After playing arround, i feel ready to onboard HA pair.
I am working with this:
But something is bothering me:
Step 5 (of HA) tells me to consolidate both peers to the same device group (which makes sense) and alto to same template stack.
SubStep F tells me to add the 2nd peer to the 1st peer stack, but what about 2nd peer template?
Not using the 2nd template will override all device configs including the management interface, and HA as well.
On the other hand, SubStep G tells me to remote the HA template. Since the config import created only one template for each peer, removing the HA config from the 1st (merged) template will override and destroy the HA in both peers.
Sounds scary a little bit
10-27-2023 07:53 AM
Hi @chens ,
Good questions. Yes, add both NGFWs to the same template stack. The NGFW is smart enough NOT to used the Panorama-pushed configuration for the management interface, even when you Force Template Values. I have done it many times, and never lost connectivity.
With regard to HA, you have 2 options:
https://www.youtube.com/watch?v=MxAy_7X5g3E
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
