I am encountering a particularly frustrating problem.
After importing a device's configuration into Panorama, the commit fails because the initial export and push includes shared objects, but not shared items in the templates.
So if I, for example, have email log forwarding in my shared objects, commit on the device fails because the emails are not present in the template.
The emails are present in the template stack, but not in the single template, and panorama is not pushing what is in the template stack.
Share Unused Address and Service Objects with Devices is unticked.
I am not sure if I understanding your problem correctly, but the proper process of onboarding firewall to panorama that already have some configuration should be:
- Panorama -> Setup -> Operations -> Import Device configuration to Panorama -> Select the firewall. This will create new device-group, template and template stack and assign the firewall to them.
- Make any modification you like to the device-group, template or template stack. For example add template to the template stack that contain shared settings, or rename stack, template or group.
- Commit to Panorama only - don't push any configuration to firewall yet.
- Panorama -> Setup -> Operations -> Expor or push device config bundle -> Select the firewall -> Push & Commit. This will replace the existing local configuration on the firewall with the configuration defined in the template stack and device-group.
I would suggest you to perform the above step during maintenance window just in case, although it shouldn't affect forwarded traffic.
- At this point FW will probably still show as out of sync in panorama, but it will have its local config converted to panorama managed. So you can push config from Panorama to FW and you should see the green "in sync"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!