Load a Partial Firewall Configuration into Panorama
If some configuration settings on a firewall are common to other firewalls, you can load those specific settings into Panorama and then push them to all the other firewalls or to the firewalls in particular device groups and templates.
- Plan the transition to Panorama.See the checklist in Plan the Transition to Panorama Management.
how to manage duplicate settings, which are those that have the
same names in Panorama as in a firewall.Before you load a partial firewall configuration, Panorama and that firewall might already have duplicate settings. Loading a firewall configuration might also add settings to Panorama that are duplicates of settings in other managed firewalls.If Panorama has policy rules or objects with the same names as those on a firewall, a commit failure will occur when you try to push device group settings to that firewall. If Panorama has template settings with the same names as those on a firewall, the template values will override the firewall values when you push the template.
- On Panorama, perform a global find to determine if duplicate settings exist.
- Delete or rename the duplicate settings on the firewall if you will use Panorama to manage them, or delete or rename the duplicate settings on Panorama if you will use the firewall to manage them. If you will use the firewall to manage device or network settings, instead of deleting or renaming the duplicates on Panorama, you can also push the settings from Panorama (Step 6) and then Override a Template Setting on the firewall with firewall-specific values.
- Export the entire firewall configuration to your local
- On the firewall, select DeviceSetupOperations.
- Click Save named configuration snapshot, enter a Name to identify the configuration, and click OK.
- Click Export named configuration snapshot, select the Name of the configuration you just saved, and click OK. The firewall exports the configuration as an XML file.
- Import the firewall configuration snapshot into Panorama.
- On Panorama, select PanoramaSetupOperations.
- Click Import named Panorama configuration
snapshot, Browse to the firewall
configuration file you exported to your computer, and click OK.After using this option to import a firewall configuration file, you can’t use the Panorama web interface to load it. You must use the XML API or CLI, as described in the next step.
- Load the desired part of the firewall configuration into
Panorama.To specify a part of the configuration (for example, all application objects), you must identify the:
- Source xpath—The XML node in the firewall configuration file from which you are loading.
- Destination xpath—The node in the Panorama configuration to which you are loading.
- Use the firewall XML API or CLI to identify
the source xpath.For example, the xpath for application objects in vsys1 of the firewall is:
- Use the Panorama XML API or CLI to identify the destination
xpath.For example, to load application objects into a device group named US-West, the xpath is:
- Use the Panorama CLI to load the configuration and
commit the change:
# load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace] # commitFor example, enter the following to load the application objects from vsys1 on an imported firewall configuration named fw1-config.xml into a device group named US-West on Panorama:
# load config partial from fw1-config.xml from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application mode merge # commit
- Push the
partial configuration from Panorama to the firewall to complete
the transition to centralized management.
- On the firewall, delete any rules or objects that have the same names as those in Panorama. If the device group for that firewall has other firewalls with rules or objects that are duplicated in Panorama, perform this step on those firewalls also. For details, see step 2.
- On Panorama, push the partial configuration to the
- Select CommitCommit and Push and Edit Selections in the Push Scope.
- Select Device Groups and select the device groups that contain the imported firewall configurations.
- Select Merge with Device Candidate Config, Include Device and Network Templates, and Force Template Values.
- Click OK to save your changes to the Push Scope.
- Commit and Push your changes.
- If the firewall has a device or network setting that you won’t use Panorama to manage, Override a Template Setting on the firewall.
- Perform your post-migration test plan.Perform the verification tasks that you devised during the migration planning to confirm that the firewall works as efficiently with the Panorama-pushed configuration as it did with its original local configuration: see Create a post-migration test plan.
Migrate a Firewall to Panorama Management
Migrate a Firewall to Panorama Management When you import a firewall configuration, Panorama automatically creates a template to contain the imported network and device settings. ...
Device > Setup > Operations
Device > Setup > Operations You can perform the following tasks to manage the running and candidate configurations of the firewall and Panorama. If you’re ...
Add a Template
Add a Template You must add at least one template before Panorama will display the Device and Network tabs required to define the network set ...
Configure a Template Stack
Configure a Template Stack A template stack is a combination of templates: Panorama pushes the settings from every template in the stack to the firewalls ...
Template Stacks A template stack is a combination of templates. By assigning firewalls to a stack, you can push all the necessary settings to them ...
Migrate a Firewall HA Pair to Panorama Management
Procedure for migrating a firewall HA pair, active/active or active/passive, to Panorama management in Panorama 8.0. ...
Migrate from an M-Series Appliance to a Panorama Virtual Appliance
Procedure to migrate from an M-Series appliance to a Panorama virtual appliance on Panorama 8.0 ...
Partial Device State Generation for Firewalls
Partial Device State Generation for Firewalls When you use Panorama to generate a partial device state, it replicates the configuration of the managed firewalls with ...
Load a Partial Configuration
Load a Partial Configuration Use the load config partial command to copy a section of a configuration file in XML. The configuration can be: A ...