To test this feature, visit your live site.

Move firewalls from one Device-Group to another Device-Group.

Hello, good afternoon, I'm new to the administration of Panorama, thank you very much for your support and collaboration.

I have the following question:

Stage detail:

Panorama- Device Group "INT-PA" : Members: PA-INT01 and INT02 ( HA )

Device Group "NEW-INT-PA": Members: NEW-INT-PA-01 AND NEW-INT-PA-02 (HA ).

-In the first Device Group INT-PA, I have configured a lot of policies and objects.

-Now the topic is as follows, I want to move members NEW-INT-PA-01 and NEW-INT-PA-02 from Device-Group: from NEW-INT-PA to Device Group "INT-PA". I am not interested in keeping absolutely nothing of the Device Group NEW-INT-PA configurations, since this Device Group is only transitional, it has nothing of interest configured.

Therefore what I need is that the members of NEW-INT-PA-01 and NEW-INT-PA-02 receive all the policies and objects from Device Group "INT-PA" . Therefore, after explaining the details of the scenario, the question is, just remove the firewalls NEW-INT-PA-01 and NEW-INT-PA-02 as members of the Device Group "NEW-INT-PA" and then add them to the Device Group INT-PA, so that the Palo Alto NEW-INT-PA-01 and NEW-INT-PA-02 inherit all the policies and objects, also eliminating all possible traces of configurations (some other device policy transition group ) from the other DG, and getting without problems, all the config from the DG:"INT-PA".

Thank you very much for your support, collaboration and for your time.

I remain attentive, cordial greetings and very attentive to your comments

5 comments

Comments (5)

Reaper

May 04, 2022

Routing and interfaces are all part of the same configuration, and introducing overrides there leaves you open to a lot of "unexpected behavior". In my experience it is best to move all configuration to panorama and then force the template so all the local overrides are removed

Reaper

May 04, 2022

I usually create a template stack for each firewall, and then add the templates as needed. In that case you would not need to touch the template stack (rename it if you ant) and move all the required templates into the stack, and remove any templates that are no longer being used.

MetgatzGR

May 04, 2022

Replying to

Hello Reaper, thank you very much for your answer and thank you very much for your collaboration. Doubt assails me again and I ask you again now to be free of doubts.

I continue in relation to the template/tempkate stack, as a complement to your last answer. Since I see that it is feasible to only move the firewalls from a stack template to another stack, the firewall will eliminate all the configuration injected from the old stack and will only keep the latest configurations, from the new stack, and then it is only time to debug template and adjust settings.

-For example, if I have locally configured the interfaces of a Palo Alto firewall and I decide to use a template, a template that includes "the same settings" as the local interface configurations plus some additional settings, such as AE, subinterfaces.

When pushing the configuration, will there be a problem that the local configurations, in part, are equal to the template (in part, since I add the AE and the subinterfaces) and that they are in a template? What is the operation that occurs in this case, the template and the injected configuration overlaps the local configurations and overwrites them and always defines them as from the template, or will I get some kind of error when doing the push from Panorama and which are partly the same settings and parameters?

From already thank you very much

Reaper

May 04, 2022

That is correct. If you don't care about the configuration in NEW-INT-PA, simply move your firewalls over to INT-PA

MetgatzGR

May 04, 2022

Replying to

Excellent Reaper, thank you very much for your answer.

I bother you again with a question, let's say similar to the case detailed above, but this time, with the case of firewalls and their Template and Template Stack where they belong.

It is only enough to move the firewalls from one Tempalte Stack to another so that Panorama injects the configurations ? or in this matter of the template/template sktack there are other details and considerations? It is enough to move the Firewalls, from a template stack and the configurations injected by the old template stack, they will disappear and only the Network and Device configurations will be present, from the new Template Stack, that is, they will receive the configurations only from where they were moved and added, of the temple of destiny? There will be no trace of the configuration of the old tempalte stack? only of the configurations from the new template of destination of the firewalls?.

Thanks Reaper, I'll stay ahead, thanks again for your collaboration.

Forum: Forum