How to remove a Firewall from Panorama

How to remove a Firewall from Panorama

80100
Created On 01/17/19 21:22 PM - Last Modified 05/20/21 02:42 AM


Objective
Steps on how to remove a firewall that is managed by Panorama while keeping both the local config and Panorama pushed config on the firewall by merging both during the process. 

 


Environment
  • Panorama
  • Firewall connected/managed by Panorama


Procedure
Login to Firewall Web UI
  1. Take a backup
    1. Device > Setup > Operations
    2. Click Export Device State  (saves local config as well as Panorama Templates and Device Group config)
  2. Device > Setup > Management
  3. Click (gear icon) on Panorama Settings
  4. Click Disable device and Network Template and check the box Import Device and Network Template before disabling, then click OK
           User-added image
  1. Click Disable Panorama Policy and Objects and check the box Import Panorama Policy and Objects before disabling, then click OK
User-added image
  1. Verify all the policies pushed from Panorama are still show on firewall before moving to step 4
  2. From Device > Setup > Management > Panorama Settings
    1. Delete the Panorama IP address
User-added image
  1. Commit 

Login to Panorama
  1. Save a copy of the current config for backup
    1. Panorama > Setup > Operations
    2. Click "Save named Panorama configuration snapshot"
    3. Name the config file (today's_date_running_config, before_fw_removal, etc)
  2. Panorama > Managed Devices > Summary
    1. Verify the firewall Device State show as Disconnected
User-added image
  1. Panorama > Templates
    1. Remove the device from “template-stack”
User-added image
 
  1. Remove the device from “Template”
     
User-added image
  1. Delete device from "Device Group"
    1. Panorama > Device Groups which then removes it from Panorama > Managed Devices > Summary 
User-added image
  1. Delete the firewall from the "Managed Device" device list
User-added image
  1. Commit to Panorama


Additional Information
Note:
  • This article is to remove the standalone firewall from Panorama.
  • If a HA (High Availability) Firewall Pair must be removed from Panorama, then "config sync" needs to be disabled, and "commit" must be completed prior to starting the removal process.
  • If not, due to HA config sync, one of the firewalls may end up with double policies (one from Panorama and the second from config sync of the Peer). This may result in commit failure


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmd6CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments