To test this feature, visit your live site.

Firewalls HA - PANORAMA - Pending Only Template/Template Stack - Device-Group already

Firewalls HA 52XX - PANORAMA - Pending Only Template/Template Stack

Hello good afternoon, as always, thank you very much for your cooperation and for your time.

I have the following scenario:

A pair of Firewall on HA PAN OS 9.1.X, Active Passive. Currently at PANORAMA ( PAN-OS 9.1.X) level, that pair of firewalls already has a Device-Group already existing in PANORAMA, which contains all the security policies, nats and obejcts, of the Firewalls.

The Device and Network level configurations are completely local, only the Device Group exists in Panorama, but there is no Template/Template Stack for this pair of firewalls in HA.

This pair of firewalls are fully in production and are of high criticality.

The idea is to have everything homologated and that the firewalls have both its Template/Template Stack for Network and Device, as their device groups (already has the device group), therefore what is the recommendation, considerations, suggestions, details, etc, that you could propose me to integrate a template/template stack of PANORAMA, this pair of firewalls in HA A/P that already have Device-Group and it only needs to have its Template/Template Stack to be managed from PANORAMA, the Device and Network settings, not local, as these two sections are currently

Thank you very much for your time and your collaboration.

I remain attentive to your comments.

Best regards.

3 comments

Comments (3)

Reaper

Nov 04, 2022

You can do it that way too, I would then reimport both, assign the same template to both, delete the 'local' config from the template, re-add them to the device group, and then push the config bundle to both

Reaper

Nov 04, 2022

The way I would do it, is to temporarily remove the 2 devices from panorama and add them again as fresh devices This will import all their current settings as a template Put the 2 devices in the appropriate device group and delete the newly created ones You now have a good workable situation as the new stacks will contain the config. If you like you can push the config bundle But, if you want it all in one template, this is what I like to do: Create 2 new templates (name them fw1-ha and fw2-ha for example) Then from cli do partial imports of the 'system' configs that are unique from the corresponding firewall template to the new "ha" template Import mgmt interface, ha, dynamic updates, service routes, dns, panorama config Delete these settings from the firewall template Then in the stacks, assignt the "ha" templates to each individual firewall and use one of the imported templates as shared template, remove the other Each stack will now have 2 templates, one with the individual configs like ha settings and mgmt IP, one with all the shared stuff like dp interfaces and the VR

MetgatzGR

Nov 04, 2022

Replying to

Hello good night @Reaper, thanks as always for your advice, time and suggestions.

The configuration of all the other firewalls that exist in PANORAMA, maintain the same logic, A template, a Template Stack for both Firewalls Active and passive of HA, and the config of MGT is maintained locally, as locally everything related to the HA configurations. Then it is required to maintain all homologated, ie 1 Template / 1 Template Stack for the two firewalls HA, and local everything related to MGT, HA, among others. For this case, what is your suggestion, details, considerations?

Thank you, I remain attentive, best regards

Forum: Forum