- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-22-2021 05:17 AM
Hi,
We have several FWs managed from Panorama (VM). All the config in FW is done in Panorama.
This morning the virtual enviroment (included panorama) was unaccesible so we needed to do changes in the FW in order to workaround the issue.
In order to be able to do these policy changes in the FW we click on "Disable Panorama policy and objects" and "disable device and networks". After doing that, we lost all the FW configuration 😞
So what is the way, to dissasociated FW from panorama saving the panorama config and be able to do FW changes???
07-22-2021 10:29 AM
There are two ways
One is like you did, which should pop up a question asking if you want to import all the panorama config to local so you keep the full config but it's added to the local config
The secondway is to use "override" to import single config elements to the local config and make changes, which also allows you to revert to panorama config once you regain control of your panorama instance
Option 2 would be the preferred method in your case as method 1 is more useful if you want to unregister permanently
07-23-2021 03:39 AM
Thanks Reaper.
But in the option 2 is more used for profiles. We needed to add a new policy and i think theres not override (green wheel) to select and override, right?
07-23-2021 01:44 PM
@BigPalo exactly, for policies there is no override option. But as long as you use post-rules you always have the option to create policies locally that are above the rules from panorama. So in such a situation where panorama is not available you can create rules this way until panorama is working again. As long as you plan to make panorama work again I would not use the first option proposed by @reaper because when panorama is available again I think it is more work to import everything again than moving a few rules which you created locally to panormama.
07-25-2021 03:01 AM
to be honest i have never seen post-rules in panorama :S Always are pre-rules. So if the rules configured are post-rules, we could create new policy rule in FW directly? good to know it.
And another question, in the fw when pop up a question asking if you want to import all the panorama config to local so you keep the full config but it's added to the local config. Can this be done even if there is no connection to panorama at the moment? or when I import the FW, the FW contacts ti Panorama to import everything back again?
07-25-2021 03:45 AM
For importing the panoramaconfiguration to the local configuration, the connection to panorama is not required - as the configuration is already present on the firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!