: Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
Focus
Focus

Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration

Table of Contents

Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration

Migrate a firewall HA pair in an active/active or active/passive configuration to Panorama™ management and push a new configuration.
This procedure overwrites the local firewall configuration with the configuration pushed from Panorama.
Migrate a firewall high availability (HA) pair to Panorama management and create a new Panorama-managed configuration using device groups and template stacks.
To migrate a firewall HA pair to Panorama management and reuse the existing configuration, see Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration.
Panorama can import configurations from firewalls that run PAN-OS 5.0 or later releases and can push configurations to those firewalls. The exception is that Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0 through 6.0.3.
Panorama can import configurations from firewalls that are already managed devices but only if they are not already assigned to device groups or templates.
  1. Plan the migration.
  2. Disable configuration synchronization between the HA peers.
    Repeat these steps for both firewalls in the HA pair.
    1. Log in to the web interface on each firewall, select DeviceHigh AvailabilityGeneral and edit the Setup section.
    2. Clear Enable Config Sync and click OK.
    3. Commit the configuration changes on each firewall.
  3. Add the firewall as a managed device.
    See Add a Firewall as a Managed Device for more information on adding a firewall to Panorama management.
    1. Select PanoramaDevice Registration Auth Key and Add a new authentication key.
      Copy Auth Key after you successfully create the device registration authentication key.
    2. Select PanoramaManaged DevicesSummary to Add a firewall as a managed device.
    3. Enter the serial number of each firewall in the HA pair and click OK.
      To add multiple firewalls at the same time, enter the serial number of each one on a separate line.
    4. Select CommitCommit to Panorama and Commit your changes.
  4. Set up a connection from the firewall to Panorama.
    Repeat these steps for both firewalls in the HA pair.
    1. Select DeviceSetupManagement and edit the Panorama Settings.
    2. In the Panorama Servers fields, enter the IP addresses of the Panorama management server.
    3. Paste the Auth Key you copied in the previous step.
    4. Click OK and Commit.
  5. On the Panorama web interface, select PanoramaManaged DevicesSummary and verify that the Device State is Connected.
  6. Add a Device Group.
    Repeat this step to create as many device groups as needed to logically group your firewall configurations. Device groups are required to manage device group objects and policies. Learn more about how to manage your device groups.
    You must add the HA peers to the same device group.
  7. Create a template and template stack.
    Templates and template stacks are used to configure the firewall Network and Device settings that enable firewall to operate on the network.
    1. Add a Template.
      Repeat this step to create as many templates as needed to define your required networking configurations.
    2. Configure a Template Stack.
      Repeat this step to create as many template stacks as needed to quickly apply your defined networking configurations. When you create a template stack, assign the relevant templates and managed firewalls.
      You must add the HA peers to the same template stack.
  8. Configure the device groups, templates, and template stacks as needed.
  9. Push the device group and template stack configuration changes to your managed firewalls.
    You must first push the device group and template stack configuration to your passive or Active-Secondary HA peer first and then to the active or Active-Primary HA peer.
    1. Log into the firewall web interface of the Passive or Active-Secondary HA peer and select DeviceHigh AvailabilityOperational Commands to Suspend local device for high availability.
    2. Push the Panorama managed configuration to the suspended HA firewall.
      1. Select Commit Push and Push and Edit Selections to modify the Push Scope.
        • Merge with Device Candidate Config—This setting is enabled by default and merges any pending local firewall configurations with the configuration push from Panorama. The local firewall configuration is merged and committed regardless of the admin pushing the changes from Panorama or the admin who made the local firewall configuration changes.
          Disable this setting if you manage and commit local firewall configuration changes independently of the Panorama managed configuration.
        • Force Template Values—Overwrites any local firewall configurations with those in the template stack configuration pushed from Panorama in the event of conflicting values.
          This setting is enabled by default. Enable this setting to overwrite any conflicting firewall configurations with those defined in the template or template stack. Before enabling this setting, review any overridden values to ensure an outage does not occur.
      2. In Device Groups and Templates, select the suspended HA firewall.
      3. Click OK and Push.
    3. In the firewall web interface of the suspended passive or Active-Secondary HA peer and select DeviceHigh AvailabilityOperational Commands to Make local device functional for high availability.
    4. Log into the firewall web interface of the active or Active-Primary HA peer and select DeviceHigh AvailabilityOperational Commands to Suspend local device for high availability.
    5. Repeat Step 2 to push the Panorama managed configuration to the suspended HA peer.
    6. Log into the firewall web interface of the suspended active or Active-Primary HA peer and select DeviceHigh AvailabilityOperational Commands to Make local device functional for high availability.
    7. In the Panorama web interface, select PanoramaManaged DevicesSummary, and verify that the device group and template are in sync for HA firewalls. Verify policy rules, objects and network settings on the passive firewall match the active firewall.
  10. Select PanoramaManaged DevicesSummary and verify that the Shared Policy and Template status is In Sync for the newly added firewalls.
    On the firewall web interface, verify that configuration objects display a green cog, signifying that the configuration object is pushed from Panorama.
  11. Perform your post-migration test plan.
    Perform the verification tasks that you devised during the migration planning to confirm that the firewalls work as efficiently with the Panorama-pushed configuration as they did with their original local configuration: see Create a post-migration test plan.