Thank you for posting question @d.spider
Is your question related to migration of a Firewall to be managed by Panorama? If yes, then there should be no down time / outage. If you are looking into importing Firewall configuration into Panorama and pushing Device Group / Template created based in imported configuration, then here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZSCA0
When it comes to precautions, on the top of my head I can think of these points:
- Panorama should be running the same or higher PAN-OS version than Firewall.
- If Firewall is configured for HA refer to this KB: https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PNG0
- If you are going to reuse Device Group that is referring to any built in EDL and push it to Firewall that does not have Threat License, it will fail.
Alternative way to importing configuration to Panorama, would be to create a new Device Group + Template/Template stack, associate Firewall with Device Group and Template Stack and then push the configuration to Firewall. As long as the objects are using unique names and not duplicated with local configuration it will work, however drawback with this approach, ideally you want to clean up local configuration. Also, some of the setting from Template will not be applied unless you select: Force Template Values. Here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMj1CAG This option could be disruptive if not configured properly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!