This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

TomYoung
Cyber Elite
Cyber Elite

‎11-30-2022 05:18 AM - edited ‎11-30-2022 08:04 AM

Hi @Sujanya ,

 

@reaper is correct that ideally the Day 1 Configuration is for Day 1, but it is good to try to add them later rather than never.

 

If you load the Day 1 Configuration on the NGFW and then add it to the appropriate device group and template stack in Panorama:

 

  1. The above configuration will work.
  2. The Day 1 Configuration will be local to the firewall.
    1. If you have duplicate policies or objects, you will get an error.  This is unlikely unless you have configured some Day 1 items before.
    2. Network or device configurations will not be overwritten unless you select Force Template Values.

To manage the Day 1 Config from Panorama, you have a few of options.

 

  1. Import the firewall configuration into separate a separate device group and template (1st URL below).  Messy.
  2. Import the NGFW configuration to Panorama and load config partial the pieces (2nd URL below).  Still messy.
  3. Create a Day 1 Configuration for Panorama.  Maybe messy maybe not.
    1. Import but do not load it.  Do not load the Day 1 Configuration on the NGFW.
    2. Add the Day 1 Configuration device group and template to the candidate configuration via load config partial.
    3. Nest the Day 1 Configuration device group (sample_devicegroup) into your hierarchy and add the Day 1 Configuration template (iron-skillet) to your stack.

Try the commands below at your own risk to see if it adds the Panorama Day 1 Configuration device group and template to your Panorama candidate configuration.

 

load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='sample_devicegroup']  to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group from <day1filename>

 

load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='iron-skillet']  to-xpath /config/devices/entry[@name='localhost.localdomain']/template from <day1filename>

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewal...

 

Thanks,

 

Tom

 

Edit:  With regard to Panorama, loading the Day 1 Configuration for a new Panorama build is ideal.  It also includes modifications to the "shared" device group and items under the Panorama tab in addition to the device group and templates referenced above.

Help the community: Like helpful comments and mark solutions.
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks