Hi @Yevgeny_Libov ,
Here is a good document on migrating a standalone HA pair to Panorama -> https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/transition-a-firewal....
There are some best practices that we can learn from it.
- Should I edit each FW template separately? HA pairs should be in one template to guarantee the same config on both. You can manage IP addresses for HA connections locally as the doc says or use template variables.
- Is there a way to edit interfaces on the primary FW node, and push it to update Panorama template settings? You can do this when you initially add the NGFWs to Panorama. After that, the config is the same, regardless of Panorama or local.
- Is it recommended in a case of HA pair to completely remove network management from Panorama? No. HA pairs can be easily managed from Panorama.
Here are a few things to consider:
- Config sync can be enabled after the pair is added to Panorama. Then local changes will be synchronized. Panorama changes are pushed to each NGFW individually and not synced.
- You will need to decide:
- Will you also managed Network and Device config from Panorama? If so, don't skip the Force Template values step. Also, enable Automated Commit Recovery 1st.
- What settings will be managed locally? The management interface is an obvious example. I like managing everything else from Panorama.
- What settings will be common across other NGFWs? This will determine device group hierarchy and template stack configurations.
The Beacon free course Managing Firewalls at Scale has some excellent guidance on the last bullet.
Thanks,
Tom
Help the community: Like helpful comments and mark solutions.
