- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-07-2023 08:48 AM - edited 02-07-2023 08:51 AM
Hi,
We have a pair of Panorama devices for managing couple of pairs of Firewalls ( in HA ) all in Azure. We have scheduled the config export which is scheduled everyday to store the config backups of Panorama+Firewalls in a server.
If there were a scenario ( I know its very unlikely on Azure since there are Availabilty Zones configured ) but in the very rare case that both availability zones are down ( which host one firewall each in HA ), then , will the config backups be enough to restore the firewalls. The steps for restoration in this case as follows:
1. We would want the firewalls up and running (post all the backend networking configured in some new region ), for this we would run the ARM templates.
2. To restore the config backups which are stored (and backed up by Azure ) to the newly built firewalls.
However in the above case, we would require Device states of the firewalls and config backups are of no use in this scenario because our policies which are managed by Device Templates can be restored. ( At this point there isnt any newly rebuilt Panoramas in the picture and we would like to build it at the end to get the services up and running first and foremost )
Keeping the scenario in mind, How does one schedule a export of Device states of firewalls because they are very useful in such scenarios. Please let me know any suggestions on this.
02-10-2023 12:03 PM
If the ARM template has bootstrapping parameters that makes them connect to Panorama, and you have the panorama configuration outside even if you had a Panorama Outage + VM series outage you could redeploy with Only the ARM template and deploying a new panorama,
You can make the panorama automatically push the config if the devices have dg and template configured in the boostrapping
I would highly recommend to you to look into vm-series scale set in azure, so that if you have an outage the scale set deploys automagically another device without any intervention of you.
02-10-2023 12:03 PM
If the ARM template has bootstrapping parameters that makes them connect to Panorama, and you have the panorama configuration outside even if you had a Panorama Outage + VM series outage you could redeploy with Only the ARM template and deploying a new panorama,
You can make the panorama automatically push the config if the devices have dg and template configured in the boostrapping
I would highly recommend to you to look into vm-series scale set in azure, so that if you have an outage the scale set deploys automagically another device without any intervention of you.
02-14-2023 08:24 AM
Hello @GabrielMontiel ,
Thanks for your reply !!
Am I correct in my understanding that I need to first deploy a Panorama ( using templates + parameters + Config backup file all stored externally ) then the next step is create the firewalls using the ARM templates + the parameters files which is included when we use the " Export template" option in Azure and then finally we integrate the firewalls with the Panorama ?
Regarding VM-series scale set, I can see it deploys to different Availability zones, but what if I have two firewalls configured in two zones ( say 1+2 ) and both crashed ( I know its super rare ) then would the scale set be useful or we need the first option ( ARM templates etc )
Thanks again for the reply.
02-14-2023 11:03 AM
Replying to the first question, yes you need to deploy the panorama first.
Second question, if Zone 1 and 2 Fails at the same time, your firewalls will be down no matter if you have standalone vm-series or a scale set. Because standalone virtual machines also reside in a Zone, its not like you have better availability having a virtual machine. I would recommend scaleset + load balancer 99% of the time
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!