Panorama integration

cancel
Showing results for 
Search instead for 
Did you mean: 

Panorama integration

L1 Bithead

Do we foresee any downtime during taking existing running firewalls behind panorama server? Also what precautions we should consider for such work?

2 REPLIES 2

L4 Transporter

Thank you for posting question @d.spider

 

Is your question related to migration of a Firewall to be managed by Panorama? If yes, then there should be no down time / outage. If you are looking into importing Firewall configuration into Panorama and pushing Device Group / Template created based in imported configuration, then here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZSCA0

When it comes to precautions, on the top of my head I can think of these points:

- Panorama should be running the same or higher PAN-OS version than Firewall.

- If Firewall is configured for HA refer to this KB: https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PNG0

- If you are going to reuse Device Group that is referring to any built in EDL and push it to Firewall that does not have Threat License, it will fail.

 

Alternative way to importing configuration to Panorama, would be to create a new Device Group + Template/Template stack, associate Firewall with Device Group and Template Stack and then push the configuration to Firewall. As long as the objects are using unique names and not duplicated with local configuration it will work, however drawback with this approach, ideally you want to clean up local configuration. Also, some of the setting from Template will not be applied unless you select: Force Template Values. Here is corresponding KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMj1CAG This option could be disruptive if not configured properly.

 

Kind Regards

Pavel

Pavel Kucera

L1 Bithead

This is really helpful 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!