Load a Partial Firewall Configuration into Panorama
If some configuration settings on a firewall are common to other firewalls, you can load those specific settings into Panorama and then push them to all the other firewalls or to the firewalls in particular device groups and templates.
Loading a configuration into a Panorama management server requires a full commit and must be performed by a superuser. Full commits are required when performing certain Panorama operations, such as reverting and loading a configuration snapshot, and are not supported for custom Admin Role profiles.
- Plan the transition to Panorama.
- Resolve how to manage duplicate settings, which are those that have the same names in Panorama as in a firewall.Before you load a partial firewall configuration, Panorama and that firewall might already have duplicate settings. Loading a firewall configuration might also add settings to Panorama that are duplicates of settings in other managed firewalls.If Panorama has policy rules or objects with the same names as those on a firewall, a commit failure will occur when you try to push device group settings to that firewall. If Panorama has template settings with the same names as those on a firewall, the template values will override the firewall values when you push the template.
- On Panorama, perform a global find to determine if duplicate settings exist.
- Delete or rename the duplicate settings on the firewall if you will use Panorama to manage them, or delete or rename the duplicate settings on Panorama if you will use the firewall to manage them. If you will use the firewall to manage device or network settings, instead of deleting or renaming the duplicates on Panorama, you can also push the settings from Panorama (Step 6) and then Override a Template or Template Stack Value on the firewall with firewall-specific values.
- Export the entire firewall configuration to your local computer.
- On the firewall, select.DeviceSetupOperations
- ClickSave named configuration snapshot, enter aNameto identify the configuration, and clickOK.
- ClickExport named configuration snapshot, select theNameof the configuration you just saved, and clickOK. The firewall exports the configuration as an XML file.
- Import the firewall configuration snapshot into Panorama.
- On Panorama, select.PanoramaSetupOperations
- ClickImport named Panorama configuration snapshot,Browseto the firewall configuration file you exported to your computer, and clickOK.After using this option to import a firewall configuration file, you can’t use the Panorama web interface to load it. You must use the XML API or CLI, as described in the next step.
- Load the desired part of the firewall configuration into Panorama.To specify a part of the configuration (for example, all application objects), you must identify the:
- Source xpath—The XML node in the firewall configuration file from which you are loading.
- Destination xpath—The node in the Panorama configuration to which you are loading.
- Use the firewall XML API or CLI to identify the source xpath.For example, the xpath for application objects in vsys1 of the firewall is:/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application
- Use the Panorama XML API or CLI to identify the destination xpath.For example, to load application objects into a device group named US-West, the xpath is:/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application
- Use the Panorama CLI to load the configuration and commit the change:#load config partial from#<filename>from-xpath<source-xpath>to-xpath<destination-xpath>mode [append|merge|replace]commitFor example, enter the following to load the application objects from vsys1 on an imported firewall configuration named fw1-config.xml into a device group named US-West on Panorama:#load config partial from fw1-config.xml from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application mode merge#commit
- Push the partial configuration from Panorama to the firewall to complete the transition to centralized management.
- On the firewall, delete any rules or objects that have the same names as those in Panorama. If the device group for that firewall has other firewalls with rules or objects that are duplicated in Panorama, perform this step on those firewalls also. For details, see Step 2.
- On Panorama, push the partial configuration to the firewall.
- SelectandCommitCommit and PushEdit Selectionsin the Push Scope.
- SelectDevice Groupsand select the device groups that contain the imported firewall configurations.
- SelectMerge with Device Candidate Config,Include Device and Network Templates, andForce Template Values.
- ClickOKto save your changes to the Push Scope.
- Commit and Pushyour changes.
- If the firewall has a device or network setting that you won’t use Panorama to manage, Override a Template or Template Stack Value on the firewall.
- Perform your post-migration test plan.Perform the verification tasks that you devised during the migration planning to confirm that the firewall works as efficiently with the Panorama-pushed configuration as it did with its original local configuration: see Create a post-migration test plan.
Recommended For You
Recommended videos not found.