02-23-2022 07:41 AM
Hi everybody,
I noticed something when migration stand alone firewalls to panorama managed.
In the past, I had multiple customers where I needed to migrate the local firewall configuration to panorama managed and I am allways following the official documentation here: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/transition-a-firewal...
What I noticed is, that after the config migration to panorama, all secrets in the config were invalid. I noticed it especially on a customer with around 50 ipsec tunnels, where after the migration the log was full with authentication failures. So after reentering all preshared keys in the panorama templates for all of the ipsec tunnels, they all came up.
I also noticed it with the ldap configuration. Right after the migration I was not able to login to the firewall with an LDAP user and we saw in the logs of the LDAP server, that there was a wrong password for the configured palo alto LDAP service user. Again, after reentering the password of the LDAP service user on the panorama template, I was able to login again with LDAP.
I have seen this behavior on multiple customers now, with different firewalls (440, 5220, vm-series). They all had in common that they were running a Panorama version 10.0.8+ or 10.1.2+ with firewalls running 10.0.8+ (5220, vm-series) or 10.1.2+ (440).
Has anyone else seen this behavior? Am I missing something in the steps for Panorama migration?
I learned now, that when I have to migrate to panorama, that I change all passwords before I push the config back to the devices.
Thank you all,
Martin
