Migrate a Multi-vSYS enabled Firewall HA Pair to Panorama Management

Migrate a Multi-vSYS enabled Firewall HA Pair to Panorama Management

44953
Created On 11/29/18 09:59 AM - Last Modified 08/03/20 18:30 PM


Symptom


When importing multi-vSYS enabled HA peers to Panorama the second HA peer importing step fails due to error:

Example below:

Operation Import
Status Completed
Result Failed
Details
  • Device: 001701010233
  • Template: Lab80-249-PA-3050
  • Device group : Custom
  • Options: Import objects as shared if possible
  • Failed to add imported nodes from device to Panorama. Validation failed.

Environment


  • PAN-OS 8.0 and above.
  • Palo Alto Firewall.
  • Any Panorama.

Cause


This error is caused by duplicate vSYS naming as the Panorama will create a template for each vSYS and will return validation failure as the vsys name already exist. 
 
configd debug log provides this information :
  
> less mp-log configd.log

2018-11-29 01:26:58.223 -0800 debug: pan_jobmgr_process_job(pan_job_mgr.c:2953): device configuration import job was successful
2018-11-29 01:26:58.223 -0800 Error:  pan_cfg_validate_config_import(pan_cfg_config_import_handler.c:3101): 
                         device group devices/entry[@name='localhost.localdomain']/device-group/entry[@name='vsys-1'] already exists   <========
2018-11-29 01:26:58.223 -0800 Error:  pan_cfg_device_config_import_fini(pan_cfg_config_import_handler.c:3750):
                         Failed to add imported nodes from device to Panorama. Validation failed.


 

Resolution



Step 1:
  • Disable configuration synchronization between the HA peers.
    Note: Repeat these steps for both firewalls in the HA pair.
    1. Log in to the web interface on each firewall, select Device> High Availability > General, and edit the Setup section.
    2. Clear Enable Config Sync and click OK.
    3. Commit the configuration changes on each firewall.  
User-added image
Step 2:
  • Connect each firewall to Panorama.
    1. Log in to the web interface on each firewall, select Device > Setup > Management and edit the Panorama Settings.
    2. In the Panorama Servers fields, enter the IP addresses of the Panorama management servers, confirm Panorama Policy and Objects and Device and Network Template are enabled and select OK.
    3. Commit the configuration changes on each firewall.
User-added image
Step 3:
  • Add each firewall as a managed device
  1. Log in to Panorama, select Panorama > Managed Devices and click Add.
  2. Enter the serial number of each firewall and click OK.
  3. Select Commit > Commit to Panorama and Commit your changes.
  4. Verify that the Device State for each firewall is Connected.
Note: You should have one entry per vSYS ( Below example 5 vSYS per firewall )
 
User-added image
Step 4:
  • Import device group & template configuration from HA peer-1 only to Panorama.
Note: The order does not matter you can either start importing Active on this step and then import Passive or the opposite.
  1. From Panorama, select Panorama > Setup > Operations, click Import device configuration to Panorama and select the Device.
  2. Select Commit > Commit to Panorama and Commit your changes.
Step 5:
  • Push the configuration to the firewall imported in step 4.
  1. In Panorama, select Panorama > Setup > Operations and select Export or push device config bundle.
  2. Select the Device, select OK and Push & Commit.
  3. Select OK after the export has completed successfully.
  4. Push to Devices the device group and template configuration to the firewall selected in step 4 only.
  5. Select Panorama > Managed Devices, and verify that the device group and template are in sync for the firewall.
Note: If this step was successful the view should be as below screenshot:
 
User-added image
Step 6:
  • Delete the Device Groups imported in step 4 then import HA-peer-2 device group and template configuration to Panorama.
  1. In Panorama select Panorama > Device Groups and select the device groups related to HA-peer-1 ( No need to Commit to Panorama )
  2. From Panorama, select Panorama > Setup > Operations, click Import device configuration to Panorama, and select the second device.
  3. Select Commit > Commit to Panorama and Commit your changes.
Step 7:
  • Push the configuration to the firewall imported in step 6.
  1. In Panorama, select Panorama > Setup > Operations and select Export or push device config bundle.
  2. Select the Device, select OK and Push & Commit.
Step 8:
  • Associate HA peer-1 and HA peer-2 into one device group.
  1. In Panorama select Panorama > Device Groups and edit each device group by adding HA-peer-1
  2. In Panorama select Commit > Commit to Panorama and Commit your changes.
Note: If the commit was successful the device groups should look like below screenshot:
 
User-added image
Step 9:
  • Push config to both devices.
  1. In Panorama select Commit > Push to Device and select both devices Device Groups and Templates.
  2. Select Panorama > Managed Devices, and verify that the device group and template are in sync for the firewall.
Note: If this step was successful the view should be as below screenshot:

User-added image
Step 10:
  • Enable configuration synchronization between the HA peers.
    1. Log in to the web interface on each firewall, select Device > High Availability > General, and edit the Setup section.
    2. Select Enable Config Sync and click OK.
    3. Commit the configuration changes on each firewall.
User-added image
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmM0CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language