Localize a Panorama Pushed Configuration on a Managed Firewall

Localize the template and device group configuration pushed from a Panorama™ management server on a managed firewall.
You can localize the template and device group configurations pushed from the Panorama™ management server to:
  • Remove the firewall from Panorama management.
  • Migrate firewall management to a different Panorama.
  • In the case of an emergency where Panorama is not accessible, ensure administrators can modify the managed firewall configuration locally.
  1. Launch the web interface of the managed firewall as an administrator with the Superuser role. You can directly access the firewall by entering its IP address in the browser URL field or, in Panorama, select the firewall in the
    Context
    drop-down.
  2. (
    Best Practice
    ) Select
    Device
    Setup
    Operations
    and
    Export device state
    .
    Save a copy of the firewall system state, including device group and template settings pushed from Panorama, in the event you need to reload a known working configuration on the managed firewall.
  3. Disable the template configuration to stop using template and template stacks to manage the network configuration objects of the managed firewall.
    1. Select
      Device
      Setup
      Management
      and edit the Panorama Settings.
    2. Click
      Disable Device and Network Template
      .
    3. (
      Optional
      ) Select
      Import Device and Network Template before disabling
      to save the template configuration settings locally on the firewall. If you do not select this option, PAN-OS deletes all Panorama-pushed settings from the firewall.
    4. Click
      OK
      twice to continue.
  4. Disable the device group configuration to stop using a device group to manage the policy and object configurations of the managed firewall.
    1. Select
      Device
      Setup
      Management
      and edit the Panorama Settings.
    2. (
      Optional
      ) Select
      Import Panorama Policy Objects before disabling
      to save the policy and object configurations locally on the firewall. If you do not select this option, PAN-OS deletes all Panorama-pushed configurations from the firewall.
    3. Click
      OK
      to continue.
    Do not attempt to commit your configuration changes on the managed firewall yet as all commits fail until the following steps are successfully completed.
  5. Select
    Device
    Setup
    Operations
    and
    Save named configuration snapshot
    .
  6. Load named configuration snapshot
    .
    This step is required to successfully localize the Panorama-pushed policy rules on the managed firewalls.
  7. Click
    OK
    to load the named configuration snapshot.
  8. Commit
    the named configuration snapshot load.

Recommended For You