This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

TomYoung
Cyber Elite
Cyber Elite

‎04-23-2023 06:49 AM

Hi @securehops ,

 

Just to confirm that I'm understanding what you mean here...are you saying if on old pano, I have an object named "Object-A" with IP of 1.1.1.1 and on new Pano, I have an object named  "Object-B" with IP 1.1.1.1,  I should rename Object-A to Object-B on the old pano first?  Yes.  If you rename them on the old Pano, all the polices will have matching objects on the new Pano.  If you wait to do it after the merge, then you have to go through every rule with Object-B and change it to Object-A.  That is, of course, if you want all the objects to be consistent.

 

Also, are you saying the device group and template names on the old Pano should NOT be the same as they are on the new pano?  Yes.  I would keep them separate initially so that you have a like-for-like migration.  In that way you are reducing the number of changes during the maintenance window.  The #1 goal is to move the NGFW and everything work.

 

Not sure I understand this one, is this different from #1 above?  Good catch.  It is not different.  I was emphasizing that Shared objects are the most important since they will be merged with Shared on the new Pano.

 

If on the old pano, I have 2 device groups and 4 templates,  after the migration, does this mean I'll have 2 additional device groups and 4 additional templates on the new pano?  Yes, for the purpose of a like-for-like migration.  We don't want to break anything.

 

If so, after I migrate the FWs into the new pano, can I then safely move those FWs into the one existing device groups that was already on the new pano?  Yes.  I would standardize device groups and templates after the move.  As you know, this will take a lot of work to ensure the configs stay the same.

 

The goal here is to have all of the firewalls in our current branch office device group.  This way all the security policies/decryption/etc policies are consistent.  Exactly.  You could also consider moving templates also so that you can change something once for all devices.  I had to install Panorama in my company after I had a few NGFWs setup.  It took some time to import the configurations and move things around.  It's done now, and very easy to make changes.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks