How to manage a firewall with local or overridden settings from Panorama

How to manage a firewall with local or overridden settings from Panorama

49212
Created On 06/04/20 15:22 PM - Last Modified 10/12/21 01:18 AM


Objective


This article describes how to break the firewall off from Panorama, save all settings as local, and re-import the firewall back to panorama as though it were a new firewall without losing any 
settings on the currently functioning firewall. 
  • Sometimes users have local configurations or overridden settings on the firewall that can make management by Panorama a challenge. 
  • Reverting overridden configuration can cause unknown problems because customers often don't know what the configuration differences are between the firewall and the Panorama

Environment


A firewall with local and/or overridden configurations that is managed by Panorama. 

Procedure


1) Export a named configuration snapshot, and device state from the firewall.  Always take backups before starting in case you make a mistake. 
  • Device>>Setup>>Operations>> Save named configuration snapshot
  • Device>>Setup>>Operations>> Export named configuration snapshot
  • Device>>Setup>>Operations>> Export device state

2) Disable Panorama Policy and Objects and Disable Device and Network Templates
  • Device > Setup> Management> Panorama Settings
Panorama settings

Choose Disable Panorama Policy and Objects
Be sure to select the box labeled Import Panorama Policy and Objects before disabling 
  • If you do not select the box the Panorama pushed settings will be lost
Panorama Policy and Objects box
Click Ok

Choose Edit Device and Network Template 
Be sure to select the box labeled Import Device and Network Template before disabling
  • If you do not select the box the Panorama pushed settings will be lost
Device and Network Template


3) Commit your changes to the firewall.  You should see all Panorama gears - green or yellow over green- gone. 
  • All configuration is now local to the firewall. 

4) Remove the template and device groups, and finally the firewall itself, from Panorama

Panorama > Templates 
  • Remove the “template-stack”
User-added image
 
  • Remove the template
User-added image


Delete device from "Device Group"
  • From Panorama > Device Groups which then removes it from Panorama > Managed Devices > Summary 
User-added image


Delete the firewall from the "Managed Device" device list

User-added image


5) Commit to Panorama

6) Import the firewall to Panorama.
  • All firewall settings will be imported and managed by Panorama.
Panorama>> Managed Devices>> Summary and click Add
  • Insert the firewall serial number
User-added image

Select Commit>> Commit to Panorama to commit the change. 

If you have the Panorama IP in the firewall, and connectivity is OK, the firewall should show connected soon after committing.

User-added image


Be sure to re- enable the Panorama Policy and Objects & Device and Network Templates buttons on the firewall 
  • Click the enable button, then click OK in the resulting pop-up. 
  • Click OK on the Panorama Settings box. 
  • Perform a commit on the Firewall

User-added image

7) Import the firewall configuration to Panorama

On the Panorama, navigate to Panorama > Setup > Operations
Click "Import device configuration to Panorama."
Select the firewall from the "Device" pull down

User-added image

Here you may edit names of the Device, Template and Device group. 
  • You cannot edit the name to a device group that already exists
  • It is best practice to leave the "Import devices's shared objects into Panorama's shared context" checked unless you have a specific reason not to.
User-added image

Click OK to import the device config and create the template and device group.

User-added image
Select Commit>> Commit to Panorama to commit the change.

8) Push the configuration from Panorama to the newly added device.

To prevent duplicate rule or object names, push the device group configuration from Panorama to the firewall to avoid commit errors.
  • This step is required to successfully migrate firewall management to the Panorama management server. Failure to perform this step successfully causes configuration errors and commit failures.
select Panorama>>Setup>>Operations and click Export or push device config bundle.

Choose either "Push & Commit" or "Export." 
  •   Push & Commit. This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall.
  •  
  • Export: This option will export the configuration to the firewall but not load it or commit it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed.
When you choose "Push & Commit" you will see a job triggered on the Panorama and will see Job Status details as shown below:

User-added image

Click OK on the resultant window.

User-added image

User-added image

We chose Push & Commit, and get the following pop-up

User-added image

9) Push the Panorama config to the firewall

Select "Commit>> Push to Devices" and select the options "Merge with Device Candidate Config", "Include Device and Network Templates", and "Force Template Values”. 
  • After this final Push to Devices you should see all of your configuration on the firewall managed from Panorama.  And your Firewall should be in sync with the Panorama config. 
  • Do NOT skip this step. 

User-added image


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UIPCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail