This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Process to Rebuild Panorama with Prisma Access & Prisma SDWAN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Process to Rebuild Panorama with Prisma Access & Prisma SDWAN

Go to solution
shawnmuas
L1 Bithead

‎05-08-2025 05:59 AM

Posting here while waiting for TAC. We use Panorama to manage NGFW and Prisma Access with Prisma SDWAN integration.

 

We recently rebuilt Panorama Azure VM. Latest dynamic updates and plugins are installed, device cert is valid, and cloud services OTP applied.  We tried loading the old Panorama running config to get everything back to normal. However, after loading the config, we get commit errors related to Prisma Access config. Is there a specific process when restoring a backup config for Panorama that is also used to manage cloud services? Or, is it as simple as loading the config and performing the initial commit?

 

I'm wondering if we should load the backup config with our firewall device groups and templates, exclude the remote networks groups and templates, perform the initial commit, then focus on loading the remote networks/cloud services portion.

 

Any help appreciated. Thank you.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
shawnmuas
L1 Bithead

‎05-12-2025 08:07 AM - edited ‎05-12-2025 08:12 AM

This happened to be a combination of Palo backend and user-induced errors. I was using a running config from a recent TSF, which apparently doesn't contain PSKs for IPSec tunnels, certs, and whatnot. Using an older manually generated Panorama config snapshot, we resolved a lot of the initial commit errors. We still needed to work with TAC to fix the Prisma Access integration that was an old-code/back-end issue but everything else after that was manageable from our perspective. For future reference, rebuilding a Panorama Azure VM managing Prisma Access involves the following high-level steps:

  • Spin up new Panorama VM from Azure marketplace.
  • Once Panorama is accessible, define DNS and NTP, get latest dynamic updates, plugins, and downgrade Panorama software back to your preferred version if needed.
  • Make sure OTP is set up for Panorama AND Cloud Services. There is an OTP process for each.
  • Import the latest manually configured Panorama snapshot that you have, then load.
  • Commit to Panorama and if you don't see any major errors, you're making progress. That initial commit has to work or you're dead in the water.
  • If using Prisma SDWAN integration with Prisma Access, you may have to regenerate and/or reapply the PSK in Panorama. This has to match the PSK configured in Prisma SDWAN.
  • At this point, fix any local overrides since Panorama went down, sync them to Panorama however you wish, and get back to work.
  • Good luck!

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
shawnmuas
L1 Bithead

‎05-12-2025 08:07 AM - edited ‎05-12-2025 08:12 AM

This happened to be a combination of Palo backend and user-induced errors. I was using a running config from a recent TSF, which apparently doesn't contain PSKs for IPSec tunnels, certs, and whatnot. Using an older manually generated Panorama config snapshot, we resolved a lot of the initial commit errors. We still needed to work with TAC to fix the Prisma Access integration that was an old-code/back-end issue but everything else after that was manageable from our perspective. For future reference, rebuilding a Panorama Azure VM managing Prisma Access involves the following high-level steps:

  • Spin up new Panorama VM from Azure marketplace.
  • Once Panorama is accessible, define DNS and NTP, get latest dynamic updates, plugins, and downgrade Panorama software back to your preferred version if needed.
  • Make sure OTP is set up for Panorama AND Cloud Services. There is an OTP process for each.
  • Import the latest manually configured Panorama snapshot that you have, then load.
  • Commit to Panorama and if you don't see any major errors, you're making progress. That initial commit has to work or you're dead in the water.
  • If using Prisma SDWAN integration with Prisma Access, you may have to regenerate and/or reapply the PSK in Panorama. This has to match the PSK configured in Prisma SDWAN.
  • At this point, fix any local overrides since Panorama went down, sync them to Panorama however you wish, and get back to work.
  • Good luck!
0 Likes Likes
  • 1 accepted solution
  • 231 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks