Plan the Transition to Panorama Management
The following tasks are a high-level overview of the planning required to migrate firewalls to Panorama management:
- Decide which firewalls to migrate.
- Determine the Panorama and firewall software and content versions, and how you will Manage Licenses and Updates. For important details, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
- Plan Your Panorama Deployment with respect to the URL filtering database (BrightCloud or PAN-DB), log collection, and administrator roles.
- Plan how to manage shared settings.Plan the Device Group Hierarchy, Templates and Template Stacks in a way that will reduce redundancy and streamline the management of settings that are shared among all firewalls or within firewall sets. During the migration, you can select whether to import objects from the Shared location on the firewall into Shared on Panorama, with the following exceptions:
- If a shared firewall object has the same name and value as an existing shared Panorama object, the import excludes that firewall object.
- If the name or value of the shared firewall object differs from an existing shared Panorama object, Panorama imports the firewall object into each new device group that is created for the import.
- If a configuration imported into a template references a shared firewall object, or if a shared firewall object references a configuration imported into a template, Panorama imports the object as a shared object regardless of whether you select the Import devices' shared objects into Panorama's shared context check box.
- Determine if the firewall has configuration elements (policies, objects, and other settings) that you don’t want to import, either because Panorama already contains similar elements or because those elements are firewall-specific (for example, timezone settings) and you won’t use Panorama to manage them. You can perform a global find to determine if similar elements exist on Panorama.
- Decide the common zones for each device group. This includes a zone-naming strategy for the firewalls and virtual systems in each device group. For example, if you have zones called Branch LAN and WAN, Panorama can push policy rules that reference those zones without being aware of the variations in port or media type, model, or logical addressing schema.
- Create a post-migration test plan.You will use the test plan to verify that the firewalls work as efficiently after the migration as they did before. The plan might include tasks such as:
- Monitor the firewalls for at least 24 hours after the migration.
- Monitor Panorama and firewall logs for anomalies.
- Check administrator logins on Panorama.
- Test various types of traffic from multiple sources. For example, check bandwidth graphs, session counts, and deny-rule traffic log entries (see Use Panorama for Visibility). The testing should cover a representative sample of policy configurations.
- Check with your network operations center (NOC) and security operations center (SOC) for any user-reported issues.
- Include any other test criteria that will help verify firewall functionality.
Migrate a Firewall to Panorama Management
Migrate a Firewall to Panorama Management When you import a firewall configuration, Panorama automatically creates a template to contain the imported network and device settings. ...
Migrate a Firewall HA Pair to Panorama Management
Procedure for migrating a firewall HA pair, active/active or active/passive, to Panorama management in Panorama 8.0. ...
Device > Setup > Operations
Device > Setup > Operations You can perform the following tasks to manage the running and candidate configurations of the firewall and Panorama. If you’re ...
Manage Unused Shared Objects
Manage Unused Shared Objects When you push configuration changes Device Groups , by default Panorama pushes all shared objects to firewalls whether or not any ...
Device Group Objects
Device Group Objects Objects are configuration elements that policy rules reference, for example: IP addresses, URL categories, security profiles, users, services, and applications. Rules of ...
Create a Device Group Hierarchy
Create a Device Group Hierarchy Plan the Device Group Hierarchy . Decide the device group levels, and which firewalls and virtual systems you will assign ...
Transition a Firewall to Panorama Management
Transition a Firewall to Panorama Management If you have already deployed Palo Alto Networks firewalls and configured them locally, but now want to use Panorama ...
Load a Partial Firewall Configuration into Panorama
Load a Partial Firewall Configuration into Panorama If some configuration settings on a firewall are common to other firewalls, you can load those specific settings ...
Plan Your Panorama Deployment
Plan Your Panorama Deployment Determine the management approach. Do you plan to use Panorama to centrally configure and manage the policies, to centrally administer software, ...