I'm in the process of setting up our new firewalls. I went ahead and set up management on each of them, got them updated, got them paired up into Active/Passive, and am now following the Palo Alto 8.1 guide to migrate an HA config over to Panorama. I'm almost to the end but I have a question concerning the templates. The instructions say to delete the template for the secondary and then add the secondary into the template for the primary, but it also says: "Do not combine the HA firewall pair in to a single template if a unique Hostname, management IP address, or HA configuration is configured for each HA peer." I find this a little confusing since everything I've read indicates that each unit in the A/P pair still has to have unique management IP, hostname, etc. The guide I'm following is here: https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management Can anyone clue me in on what best practices is here? My intention was to have a single config with A/P so I don't have to duplicate VPN changes on a second template. The instructions say to turn config sync back on at the end too so it sounds like it is supposed to use a single template but then wouldn't that mean the passive firewall would be unreachable on its management port, even to Panorama? Thanks!
... View more