12-07-2024 12:54 AM
Hi All,
I have a few questions, but let me share first what happened.
End State Goal: Have the Panorama manage our HQ and Branch Firewalls( 5 Firewalls Involved, We have license for this)
We have tried to onboard and use panorama for management of our PAN Firewalls.
We have successfully onboarded our Active/Passive firewalls
(From Device>Managed Devices>Summary) status can be seen both as connected.
FIRST tried to import and push the running configuration of the Passive Firewall, then we experienced a down time.
Checking on the Active PA FW the configuration was stripped off(No policies can be seen).
We load our the backup config on the Active FW to recover services.
Now when I checked Panorama from Device>Managed Devices>Summary
Active FW is showing as disconnected
Passive is showing as connected.
Policies from the passive firewall is visible on the Panorama,
I have not associated the Active Firewall to the Device Group and Device Template yet.
From the GUI it is under the "not associated list"
Questions:
1. Is it a normal behavior for the configuration of the firewalls to be stripped off once they are being managed by Panorama?
2. What if in the scenario that the Panorama Suddenly reboots, does this mean that traffic for all the devices it manage will go down since there are no configurations the NGFW's?
3. Given our current status now what would be the best advisable thing to do next?:
a). Manually Failover the Traffic from Active FW to Passive FW then import the "Current Suspended" FW running configuration to the Panorama.
b). Can we just proceed on adding the Active FW to the Device Group & Device Template Created for the Passive FW.
4. Are there any documentations for onboarding/Import and Push Active/Passive Firewalls to Panorama?
Any help would be very much appreciated.
Regards
Nicko
12-07-2024 07:31 PM
Hi @NickoKristian ,
Thanks,
Tom
12-08-2024 08:42 PM
Hi @TomYoung Thanks for your inputs. Just to clarify Active/Passive firewalls are displaying as Connected, but when I export/pushed config for the passive firewall active firewalls policies was stripped off as well.
I think because we have not disabled config sync for the HA pair.
What would your approach with this if we want to have no downtime?
Currently, On Panorama Active FW is disconnected, Passive FW is connected.
1. Fix the Connection issues first, can we disassociate the Active Firewall again then continue the steps?
2. Failover the traffic to the passive firewall? Checking on the Local Firewall GUI HA dashboard all seems to be matched excluding the Configuration which is not sync.
Regards
Nicko
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
