This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

When a firewall configuration migrated to the panorama, objects tab configuration imported as a shared object and got impact with other firewalls.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

When a firewall configuration migrated to the panorama, objects tab configuration imported as a shared object and got impact with other firewalls.

AkashThangavel
L2 Linker

‎05-04-2023 08:09 AM - edited ‎05-05-2023 09:18 PM

Hi team,

While integrating a firewall into the panorama, I imported as a Device >Setup >Operations >Import device configuration as Panorama. The firewall configuration in the objects tab was imported as a shared object and impacted the other firewall configurations. I followed the admin guide for Firewall migration to the panorama. It is a VM firewall and there is no vsys option. I have attached the screenshot, kindly check it and let me know.

 

VM firewall configuration

Screenshot 2023-05-03 173745.png

After >Import device configuration as Panorama, it was imported in the shared location.

Screenshot 2023-05-03 173018.pngScreenshot 2023-05-03 173533.png

 

Screenshot 2023-05-04 201821.pngScreenshot 2023-05-04 201831.png

 

 

regards,

Akash Thangavel

Network Security Engineer

 

Akash Thangavel, Network Security Engineer
0 Likes Likes
11 REPLIES 11

TomYoung
Cyber Elite
Cyber Elite

‎05-05-2023 05:19 AM

Hi @AkashThangavel ,

 

Could you clarify what you mean by "impacted the other firewall configurations"?  All configuration in the Shared device group is pushed to all NGFWs since all device groups are subordinate to Shared ( see Panorama > Device Groups ).  The only exception is if you have Share Unused Address and Service Objects with Devices unchecked under Panorama > Panorama Settings.  In that case, objects will only be pushed to NGFWs if they are used.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-05-2023 05:44 AM

Shared objects are what name says - shared.

If you don't want objects to go into shared location you need to uncheck this checkbox during firewall import.

 

Raido_Rattameister_0-1683290649520.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

AkashThangavel
L2 Linker
In response to TomYoung

‎05-05-2023 07:35 AM - edited ‎05-05-2023 09:28 PM

Hi Tom,

When I am importing a vm-firewall configuration into the panorama, objects imported as a shared object mean all the firewall receives the vm-firewall configuration as in a shared location.Screenshot 2023-05-05 175822.png

vm-firewall configuration imported in a shared location and shared with all the device groups.

Screenshot 2023-05-05 175533.png

But it should actually be imported as a separate device group not shared. A device group is created while importing, but these objects are located in a shared location.

 

regards,

Akash Thangavel

Network Security Engineer

Akash Thangavel, Network Security Engineer
0 Likes Likes

AkashThangavel
L2 Linker
In response to Raido_Rattameister

‎05-05-2023 07:42 AM - edited ‎05-05-2023 09:29 PM

There is no vsys in the firewall. So firewall configuration is not in shared.

Then how, because this option is only for shared object or multi vsys should be in the firewall.

AkashThangavel_0-1683297653632.png

 

 

 

Akash Thangavel, Network Security Engineer
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎05-05-2023 08:01 AM

Hi @AkashThangavel ,

 

I understand your thought process.  Unfortunately, the Shared device group on Panorama is not the same thing as the Shared location on the NGFW.  The Shared device group on Panorama is shared across all NGFWs.  You can see the hierarchy in Panorama > Device Groups as mentioned in my 1st post.

 

So, if you uncheck the box when you import the NGFW configuration, the objects will be imported only into the device group, but they will still be in the shared location on the NGFW.

 

The best practice to import the objects into the Shared device group on Panorama is to allow you to eliminate redundant objects across your devices groups.  You can modify an object once for all devices.  Hopefully, I cleared up what the box in your picture is explaining.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

AkashThangavel
L2 Linker
In response to TomYoung

‎05-05-2023 08:39 AM

Hi Tom,

I can now understand the configuration, but while migrating the firewall configuration to the panorama, who wants the firewall configuration to be in the shared location and then how does it become a best practice to enable import of objects into the Shared device group on Panorama?

 

OR kindly same the use case for that scenario of enabling the import objects into the Shared device group on Panorama.

 

Thanks for your time, Mr TomYoung.

 

regards,

Akash Thangavel

Network Security Engineer

 

Akash Thangavel, Network Security Engineer
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎05-05-2023 10:00 AM

Hi @AkashThangavel ,

 

If you do not have any objects in Shared on Panorama, you could have a lot of redundant objects across your device groups.  If you want to make changes, you may have to change the same object in multiple device groups.  Creating a device group hierarchy https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/centralized-firewal... allows you to make changes once and push to all NGFWs.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

AkashThangavel
L2 Linker
In response to TomYoung

‎05-05-2023 10:03 AM

AkashThangavel_0-1683302668016.png

Kindly explain this statement from plan the transition to the panorama Tom..

Akash Thangavel, Network Security Engineer
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎05-05-2023 10:11 AM

Hi @AkashThangavel ,

 

It is saying that a shared object on the NGFW will remain a shared object regardless if it is in the Panorama Shared device group or not.  Remember, they are not the same thing.  Think of the Panorama Shared device group as a global device group.  It has nothing to do with the NGFW shared context on the NGFW.

 

Thanks,

 

Tom

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

AkashThangavel
L2 Linker
In response to TomYoung

‎05-05-2023 09:52 PM

Hi Tom,

Bit confused on the shared object on the firewall.

In my firewall there is no any vsys, so whenever i created an object whether that is considered as a shared object or default vsys/vsys1.

 

regards,

Akash Thangavel

Network Security Engineer

 

Akash Thangavel, Network Security Engineer
0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-08-2023 05:28 AM

Ok here is really simplified explaination.

 

If you have address object in firewall and you import firewall config into Panorama then if previously mentioned checkbox is:

- checked > address object is imported into Panorama shared pool and will affect all firewalls

- not checked > address object is imported directly under Device Group of the firewall so affects only firewall(s) in this specific device group

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes
  • 2297 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks