Firewall's Device Group "Out Of Sync" After Importing New Config to Panorama
20995
Created On 04/14/19 01:34 AM - Last Modified 05/27/20 03:03 AM
Symptom
In sync, the firewall's Device Group goes out of sync after the new firewall imports and commits on Panorama.
The document below was followed to import a firewall's config.
Migrate a Firewall to Panorama Management
Environment
- Any Panorama.
- Palo Alto Firewall (managed by Panorama).
- PAN-OS 8.0 and above.
Cause
Devices will go out of sync, when "import devices' shared objects into Panorama's shared context" check box is selected.
When "Import devices' shared objects into Panorama's shared context" (device group specific objects will be created if unique) is enabled, Panorama imports objects that belong to Shared in the firewall to Shared in Panorama.
NOTE: Panorama regards all objects as shared on a firewall without multiple virtual systems. If you disable this option, Panorama copies shared firewall objects into device groups instead of Shared.
Resolution
Do not check the box "Import devices' shared objects into Panorama's shared [...]" while importing the device config, then the objects are not imported to shared and older devices don't go out of sync.
For more details on shared settings, please go through the below document:
Firewall Transition To Panorama Management