Load a Partial Firewall Configuration into Panorama

If some configuration settings on a firewall are common to other firewalls, you can load those specific settings into Panorama and then push them to all the other firewalls or to the firewalls in particular device groups and templates.
  1. Plan the transition to Panorama.
  2. Resolve how to manage duplicate settings, which are those that have the same names in Panorama as in a firewall.
    Before you load a partial firewall configuration, Panorama and that firewall might already have duplicate settings. Loading a firewall configuration might also add settings to Panorama that are duplicates of settings in other managed firewalls.
    If Panorama has policy rules or objects with the same names as those on a firewall, a commit failure will occur when you try to push device group settings to that firewall. If Panorama has template settings with the same names as those on a firewall, the template values will override the firewall values when you push the template.
    1. On Panorama, perform a global find to determine if duplicate settings exist.
    2. Delete or rename the duplicate settings on the firewall if you will use Panorama to manage them, or delete or rename the duplicate settings on Panorama if you will use the firewall to manage them. If you will use the firewall to manage device or network settings, instead of deleting or renaming the duplicates on Panorama, you can also push the settings from Panorama (Step 6) and then Override a Template Setting on the firewall with firewall-specific values.
  3. Export the entire firewall configuration to your local computer.
    1. On the firewall, select
      Device
      Setup
      Operations
      .
    2. Click
      Save named configuration snapshot
      , enter a
      Name
      to identify the configuration, and click
      OK
      .
    3. Click
      Export named configuration snapshot
      , select the
      Name
      of the configuration you just saved, and click
      OK
      . The firewall exports the configuration as an XML file.
  4. Import the firewall configuration snapshot into Panorama.
    1. On Panorama, select
      Panorama
      Setup
      Operations
      .
    2. Click
      Import named Panorama configuration snapshot
      ,
      Browse
      to the firewall configuration file you exported to your computer, and click
      OK
      .
      After using this option to import a firewall configuration file, you can’t use the Panorama web interface to load it. You must use the XML API or CLI, as described in the next step.
  5. Load the desired part of the firewall configuration into Panorama.
    To specify a part of the configuration (for example, all application objects), you must identify the:
    • Source xpath—The XML node in the firewall configuration file from which you are loading.
    • Destination xpath—The node in the Panorama configuration to which you are loading.
    1. Use the firewall XML API or CLI to identify the source xpath.
      For example, the xpath for application objects in vsys1 of the firewall is:
      /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application
    2. Use the Panorama XML API or CLI to identify the destination xpath.
      For example, to load application objects into a device group named US-West, the xpath is:
      /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application
    3. Use the Panorama CLI to load the configuration and commit the change:
      #
      load config partial from
      <filename>
      from-xpath
      <source-xpath>
      to-xpath
      <destination-xpath>
      mode [append|merge|replace]
      #
      commit
      For example, enter the following to load the application objects from vsys1 on an imported firewall configuration named fw1-config.xml into a device group named US-West on Panorama:
      #
      load config partial from fw1-config.xml from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application mode merge
      #
      commit
  6. Push the partial configuration from Panorama to the firewall to complete the transition to centralized management.
    1. On the firewall, delete any rules or objects that have the same names as those in Panorama. If the device group for that firewall has other firewalls with rules or objects that are duplicated in Panorama, perform this step on those firewalls also. For details, see step 2.
    2. On Panorama, push the partial configuration to the firewall.
      1. Select
        Commit
        Commit and Push
        and
        Edit Selections
        in the Push Scope.
      2. Select
        Device Groups
        and select the device groups that contain the imported firewall configurations.
      3. Select
        Merge with Device Candidate Config
        ,
        Include Device and Network Templates
        , and
        Force Template Values
        .
      4. Click
        OK
        to save your changes to the Push Scope.
      5. Commit and Push
        your changes.
    3. If the firewall has a device or network setting that you won’t use Panorama to manage, Override a Template Setting on the firewall.
  7. Perform your post-migration test plan.
    Perform the verification tasks that you devised during the migration planning to confirm that the firewall works as efficiently with the Panorama-pushed configuration as it did with its original local configuration: see Create a post-migration test plan.

Related Documentation