How To Restore a Firewall Managed Partially by Panorama with only Local Config Backup Available

How To Restore a Firewall Managed Partially by Panorama with only Local Config Backup Available

18950
Created On 04/27/19 23:48 PM - Last Modified 05/26/20 21:28 PM


Objective


When replacing the faulty firewall with a new device, Loading the old device configuration and committing displays error.
The error message indicates part of the dependent configuration is missing.

Example:
Log-settings are configured locally on the firewall pointing to a Syslog server config, which is pushed from the panorama.
This commit fails when the local configuration is loaded and committed because the panorama config is missing.
In this case validation error is displayed below: 
log-settings -> profiles -> LOG -> match-list -> LOG-url -> send-syslog 'SYS' is not a valid reference
log-settings -> profiles ->LOG -> match-list -> LOG-url -> send-syslog is invalid
Commit failed

Here the Syslog server profile is pushed from the panorama, while the log-settings profile LOG is configured locally.

 

Environment


This document applies only to the following scenario.
  • the device is partially managed by the firewall and partially by the panorama.
  • Part of the firewall config pointing to panorama config.
  • you are replacing one such firewall (probably due to device hardware failure), but have only the local config.
  • PAN-OS 8.0 and above.

Procedure


1. Replace the old serial number with the new serial number on the panorama. 
> replace device old <old SN#> new <new SN#>
Go into configuration mode and commit the changes. 
> configure
# commit
Now, panorama will show the new serial number instead of the old serial number in the managed devices.

2. configure the panorama IP address on the firewall and commit on the firewall.
User-added image

3. Import the backed up config on the firewall.
User-added image
3. Load the backed up config on the firewall.
User-added image
Do not commit.

4. Go to Panorama, push to devices, select the firewall in device-group, select the merge with Device Candidate Config option and Include Device and Network Templates.
And push it to the firewall.
User-added image

This time, Panorama pushes the panorama config and commits the panorama config along with local config on the firewall.  This time the commit succeeds.

Additional Information


It is recommended to get device-state backup when the firewall is partially managed by panorama and the local config has dependencies on panorama config like mentioned above.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLpD&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail