To test this feature, visit your live site.

Device Group and Firewall Configuration Merge

I have a Firewall currently setup in a Panorama Device Group.

I now want to to manage a new Firewall that has a similar set of rules (not a HA) so I want to put it in the same Device Group, so the rules are synced going forward.

My question is what happens to the rules on the 2nd Firewall when I add it to the Device Group and push the policy? Does the Device Group Rules (currently from the 1st Firewall import) get merged with the existing rules? Will duplicates get removed? Or will it overwrite the whole config?

Many thanks.

5 comments

Comments (5)

Reaper

Oct 31

This depends how you join the firewall to panorama

If you import and then push config bundle, all the local config is replaced (from panorama > setup > operations)

If you simply attach it to panorama, the pre-rules will be put above the existing rules, and the post-rules will be placed below. Your local rules will remain

Conflicting rules might cause a commit error, so make sure you update any names that might become duplicate

Edited

Reaper

Oct 31

Replying to

Ah so first import the whole thing and push bundle cleans up local config

If you then move it to a different device e group you're essentially replacing the config

So if you want to maintain the orifmginal rules, you'll need to merge them yourself

This could be done by adding the new device group as a child (subgroup) of the old one, or manually moving/cloning rules between device groups

stevegreen000

Oct 31

Replying to

Thank you Reaper.

That makes sense now. I am thinking I may temporarily go with a Subgroup as I know the 2nd Firewall has less rules (only one Firewall being updated in the past) but could have some unique rules as well. Then tidy up with a manual move/clone/delete and then move it up to the original Device Group in the future.

stevegreen000

Oct 31

Replying to

Just to add, following Reaper's previous post, I have previously been thinking about this incorrectly which I now understand.

Previously i have only ever migrated Firewalls to Panorama that have been HA Pairs and therefore you can assign them directly to the same Device Group as the Rulebase/Objects is exactly the same.

Now I am going to migrate 2 Firewalls to Panorama that are not a HA Pair and that although they have probably 95% of the Rules/Objects the same they do have some unique rules. In this case I need to have each as it's own Device Group and then parent them to a "Common" Device Group above which I can manually move all the rules that are the same to in the future. (or just add new common rules to in the future)

Forum: Forum