Unlink FW to panorama for doing changes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unlink FW to panorama for doing changes

L4 Transporter

Hi, 

 

We have several FWs managed from Panorama (VM). All the config in FW is done in Panorama.

This morning the virtual enviroment (included panorama) was unaccesible so we needed to do changes in the FW in order to workaround the issue. 

In order to be able to do these policy changes in the FW we click on "Disable Panorama policy and objects" and "disable device and networks". After doing that, we lost all the FW configuration 😞

 

So what is the way, to dissasociated FW from panorama saving the panorama config and be able to do FW changes???

 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

There are two ways

One is like you did, which should pop up a question asking if you want to import all the panorama config to local so you keep the full config but it's added to the local config

The secondway is to use "override" to import single config elements to the local config and make changes, which also allows you to revert to panorama config once you regain control of your panorama instance

Option 2 would be the preferred method in your case as method 1 is more useful if you want to unregister permanently

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks Reaper.

 

But in the option 2 is more used for profiles. We needed to add a new policy and i think theres not override (green wheel) to select and override, right?

@BigPalo exactly, for policies there is no override option. But as long as you use post-rules you always have the option to create policies locally that are above the rules from panorama. So in such a situation where panorama is not available you can create rules this way until panorama is working again. As long as you plan to make panorama work again I would not use the first option proposed by @reaper because when panorama is available again I think it is more work to import everything again than moving a few rules which you created locally to panormama.

to be honest i have never seen post-rules in panorama :S Always are pre-rules. So if the rules configured are post-rules, we could create new policy rule in FW directly? good to know it.

 

And another question, in the fw when pop up a question asking if you want to import all the panorama config to local so you keep the full config but it's added to the local config. Can this be done even if there is no connection to panorama at the moment? or when I import the FW, the FW contacts ti Panorama to import everything back again?

For importing the panoramaconfiguration to the local configuration, the connection to panorama is not required - as the configuration is already present on the firewall.

  • 2747 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!