: Localize a Panorama Pushed Configuration on a Managed Firewall
Focus
Focus

Localize a Panorama Pushed Configuration on a Managed Firewall

Table of Contents

Localize a Panorama Pushed Configuration on a Managed Firewall

Localize the template and device group configuration pushed from a Panorama™ management server on a managed firewall.
You can localize the template and device group configurations pushed from the Panorama™ management server to:
  • Remove the firewall from Panorama management.
  • Migrate firewall management to a different Panorama.
  • In the case of an emergency where Panorama isn’t accessible, ensure that administrators can modify the managed firewall configuration locally.
  1. Launch the web interface of the managed firewall as an administrator with the Superuser role. You can directly access the firewall by entering its IP address in the browser URL field or, in Panorama, select the firewall in the
    Context
    drop-down.
  2. (
    Best Practice
    ) Select
    Device
    Setup
    Operations
    and
    Export device state
    .
    Save a copy of the firewall system state, including device group and template settings pushed from Panorama, in the event you need to reload a known working configuration on the managed firewall.
  3. (
    Active/passive HA only
    ) Disable configuration synchronization for firewalls in an active/passive high availability (HA) configuration.
    Repeat this step on each firewall HA peer. This is required to prevent duplication of objects on the passive HA peer that results in local commit failures.
    1. Log in to the firewall web interface of one of the HA peers.
    2. Select
      Device
      High Availability
      General
      and edit the HA pair Settings Setup.
    3. Disable (uncheck)
      Enable Config Sync
      and click
      OK
      .
    4. Select
      Commit
      and
      Commit
      your changes.
  4. Disable the template configuration to stop using template and template stacks to manage the network configuration objects of the managed firewall.
    1. Select
      Device
      Setup
      Management
      and edit the Panorama Settings.
    2. Click
      Disable Device and Network Template
      .
    3. (
      Optional
      ) Select
      Import Device and Network Template before disabling
      to save the template configuration settings locally on the firewall. If you don’t select this option, PAN-OS deletes all Panorama-pushed settings from the firewall.
    4. Click
      OK
      twice to continue.
  5. Disable the device group configuration to stop using a device group to manage the policy rule and object configurations of the managed firewall.
    1. Select
      Device
      Setup
      Management
      and edit the Panorama Settings.
    2. (
      Optional
      ) Select
      Import Panorama Policy Objects before disabling
      to save the policy rule and object configurations locally on the firewall. If you don’t select this option, PAN-OS deletes all Panorama-pushed configurations from the firewall.
    3. Click
      OK
      to continue.
    Don’t attempt to commit your configuration changes on the managed firewall yet as all commits fail until the following steps are successfully completed.
  6. Select
    Device
    Setup
    Operations
    and
    Save named configuration snapshot
    .
  7. Load named configuration snapshot
    and enable (check)
    Regenerate Rule UUIDs for selected named configuration
    to generate new policy rule UUIDs.
    This step is required to successfully localize the Panorama-pushed policy rules on the managed firewalls.
  8. Click
    OK
    to load the named configuration snapshot.
  9. Commit
    the named configuration snapshot load.
  10. (
    Active/passive HA only
    ) Enable configuration synchronization for firewalls in an active/passive high HA configuration.
    Repeat this step each firewall HA peer.
    1. Log in to the firewall web interface of one of the HA peers.
    2. Select
      Device
      High Availability
      General
      and edit the HA pair Settings Setup.
    3. Enable (check)
      Enable Config Sync
      and click
      OK
      .
    4. Select
      Commit
      and
      Commit
      your changes.

Recommended For You