: Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
Focus
Focus

Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration

Table of Contents

Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration

Migrate a firewall HA pair in an active/active or active/passive configuration to Panorama™ management and reuse the existing firewall configuration.
If you have a pair of firewalls in an HA configuration that you want to manage using Panorama, you have the option to import the configuration local to your firewall HA pair to Panorama without needing to recreate any configurations or policies. This allows you to reuse the existing firewall configuration. You first import the firewall configurations to Panorama, which are used to create a new device group and template. You will perform a special configuration push of the device group and template to the firewalls to overwrite the local firewall configurations and synchronize the firewalls with Panorama.
To migrate a firewall HA pair to Panorama management and create a new configuration, see Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration.
Panorama can import configurations from firewalls that run PAN-OS 5.0 or later releases and can push configurations to those firewalls. The exception is that Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0 through 6.0.3.
Panorama can import configurations from firewalls that are already managed devices but only if they are not already assigned to device groups or templates.
  1. Plan the migration.
  2. Disable configuration synchronization between the HA peers.
    Repeat these steps for both firewalls in the HA pair.
    1. Log in to the web interface on each firewall, select
      Device
      High Availability
      General
      and edit the Setup section.
    2. Clear
      Enable Config Sync
      and click
      OK
      .
    3. Commit
      the configuration changes on each firewall.
  3. Confirm that
    Panorama Policy and Objects
    and
    Device and Network Template
    are enabled.
    If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 7.
  4. Import each firewall configuration into Panorama.
    Do no push any device group or template stack configuration to your managed firewalls in this step. Pushing the device group and template stack configuration during this step wipes the local firewall HA configuration in the next steps.
    If you later decide to re-import a firewall configuration, first remove the firewall device groups and template to which it is a member. If the device group and template names are the same as the firewall hostname, then you can delete the device group and template before re-importing the firewall configuration or use the
    Device Group Name Prefix
    fields to enter a new name for the device group and template created by the re-import. Additionally, firewalls don’t lose logs when you remove them from device groups or templates.
    1. From Panorama, select
      Panorama
      Setup
      Operations
      , click
      Import device configuration to Panorama
      , and select the
      Device
      .
      Panorama can’t import a configuration from a firewall that is assigned to an existing device group or template stack.
    2. (
      Optional
      ) Edit the
      Template Name
      . The default value is the firewall name. You can’t use the name of an existing template or template stack.
    3. (
      Optional
      ) Edit the
      Device Group
      names. For a multi-vsys firewall, each device group has a vsys name by default, so add a character string as a Device Group Name Prefix for each. Otherwise, the default value is the firewall name. You can’t use the names of existing device groups.
      The
      Imported devices’ shared objects into Panorama’s shared context
      check box is selected by default, which means Panorama compares imports objects that belong to the Shared location in the firewall to Shared in Panorama. If an imported object is not in the Shared context of the firewall, it is applied to each device group being imported. If you clear the check box, Panorama copies will not compare imported objects, and apply all shared firewall objects into device groups being imported instead of Shared. This could create duplicate objects, so selecting the check box is a best practice in most cases. To understand the consequences of importing shared or duplicate objects into Panorama, see Plan how to manage shared settings.
    4. Commit to Panorama
      .
    5. Select
      Panorama
      Setup
      Operations
      and
      Export or push device config bundle
      . Select the
      Device
      , select
      OK
      and
      Push & Commit
      the configuration.
      The Enable Config Sync setting in Step 2 must be cleared on both firewalls before you push the device group and template stack.
    6. Launch the Web Interface of the firewall HA peer and ensure that the configuration pushed in the previous step committed successfully. If not,
      Commit
      the changes locally on the firewall.
    7. Repeat Step 1-6 above on the second firewall. The process will create a device group and template stack per each firewall.
  5. Add the HA firewall pair into the same device group and template stack.
    (
    Firewalls in active/active configuration
    ) It is recommended to add HA peers to the same device group but not to the same template stack because firewalls in an active/active HA configuration typically need unique network configurations. This simplifies policy management for the HA peers while reducing the operational burden of managing the network configuration of each HA peer when their network configurations are independent of each other. For example, firewalls in an active/active HA configuration often times need unique network configurations, such as unique floating IP that are used as the default gateway for hosts.
    Ultimately, deciding whether to add firewalls in an active/active HA configuration to the same device group and template stack is a design decision you must make when designing your configuration hierarchy.
    1. Select
      Panorama
      Device Group
      , select the device group of the second firewall, and remove the second firewall from the device group.
    2. Select the device group from which you removed the second firewall and
      Delete
      it.
    3. Select the device group for the first firewall, select the second firewall, click
      OK
      and
      Commit to Panorama
      to add it to the same device group as the HA peer.
    4. Select
      Panorama
      Templates
      , select the template stack of the second firewall, and remove the second firewall from the template stack.
    5. Select the template stack from which you removed the second firewall and
      Delete
      it.
    6. Select the template stack for the first firewall, add the second firewall, select
      OK
      and
      Commit to Panorama
      to add it to the same template stack as the HA peer.
    7. (
      Optional
      ) Remove the HA settings in the template associated with the newly migrated firewalls.
      You can manage the firewall HA configuration from Panorama or configure the HA settings locally on the managed firewalls.
      Skip this step if you want to manage the firewall HA settings from Panorama.
      1. Select
        Device
        High Availability
        and select the
        Template
        containing the HA configuration.
      2. Select
        Remove All
        .
      3. Commit to Panorama
        .
    8. Select
      Panorama
      Managed Devices
      Summary
      , and verify that the device group and template are in sync for the passive firewall. Verify policy rules, objects and network settings on the passive firewall match the active firewall.
  6. Push the device group and template stack configuration changes to your managed firewalls.
    You must first push the device group and template stack configuration to your
    passive
    or
    Active-Secondary
    HA peer first and then to the
    active
    or
    Active-Primary
    HA peer.
    Pushing the imported firewall configuration from Panorama to remove local firewall configuration updates
    Policy
    rule
    Creation
    and
    Modified
    dates to reflect the date you pushed to your newly managed firewalls when you monitor policy rule usage for a managed firewall. Additionally, a new universially unique identifier (UUID) for each policy rule is created.
    1. Log into the firewall web interface of the
      Passive
      or
      Active-Secondary
      HA peer and select
      Device
      High Availability
      Operational Commands
      to
      Suspend local device for high availability
      .
    2. Push the Panorama managed configuration to the
      suspended
      HA firewall.
      1. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      2. Enable (select)
        Merge Device Candidate Config
        and
        Include Device and Network Templates
        .
        (
        Panorama-managed HA configuration
        ) Enable (select)
        Force Template Values
        .
      3. In
        Device Groups
        and
        Templates
        , select the suspended HA firewall.
      4. Click
        OK
        and
        Push
        .
    3. In the firewall web interface of the suspended
      passive
      or
      Active-Secondary
      HA peer and select
      Device
      High Availability
      Operational Commands
      to
      Make local device functional for high availability
      .
    4. Log into the firewall web interface of the
      active
      or
      Active-Primary
      HA peer and select
      Device
      High Availability
      Operational Commands
      to
      Suspend local device for high availability
      .
    5. Repeat Step 2 to push the Panorama managed configuration to the
      suspended
      HA peer.
    6. Log into the firewall web interface of the suspended
      active
      or
      Active-Primary
      HA peer and select
      Device
      High Availability
      Operational Commands
      to
      Make local device functional for high availability
      .
    7. In the Panorama web interface, select
      Panorama
      Managed Devices
      Summary
      , and verify that the device group and template are in sync for HA firewalls. Verify policy rules, objects and network settings on the passive firewall match the active firewall.
  7. (
    Local firewall HA configuration only
    ) Enable configuration synchronization between the HA peers.
    Repeat these steps for both firewalls in the HA pair if you plan on maintaining a local configuration that needs to be synchronized.
    Skip this step if managing the firewall HA configuration from Panorama. This setting is enabled by default.
    1. Log in to the web interface of each HA peer, select
      Device
      High Availability
      General
      and edit the Setup section.
    2. Select
      Enable Config Sync
      and click
      OK
      .
    3. Commit
      the configuration changes on each firewall.

Recommended For You