Migrate a Firewall HA Pair to Panorama Management

Procedure for migrating a firewall HA pair, active/active or active/passive, to Panorama management in Panorama 8.1.
If you have a pair of firewalls in an HA configuration that you want to manage using Panorama, you have the option to import the configuration local to your firewall HA pair to Panorama without needing to recreate any configurations or policies. You first import the firewall configurations to Panorama, which are used to create a new device group and template. You will perform a special configuration push of the device group and template to the firewalls to overwrite the local firewall configurations and synchronize the firewalls with Panorama.
  1. Plan the migration.
  2. Disable configuration synchronization between the HA peers.
    Repeat these steps for both firewalls in the HA pair.
    1. Log in to the web interface on each firewall, select
      Device
      High Availability
      General
      and edit the Setup section.
    2. Clear
      Enable Config Sync
      and click
      OK
      .
    3. Commit
      the configuration changes on each firewall.
  3. Connect each firewall to Panorama.
    If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 5.
    Repeat these steps for both firewalls in the HA pair.
    1. Log in to the web interface on each firewall, select
      Device
      Setup
      Management
      and edit the Panorama Settings.
    2. In the
      Panorama Servers
      fields, enter the IP addresses of the Panorama management servers, confirm
      Panorama Policy and Objects
      and
      Device and Network Template
      are enabled and select
      OK
      .
    3. Commit
      the configuration changes on each firewall.
  4. Add each firewall as a managed device.
    If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 5.
    1. Log in to the Panorama Web Interface, select
      Panorama
      Managed Devices
      and click
      Add
      .
    2. Enter the serial number of each firewall and click
      OK
      .
    3. Select
      Commit
      Commit to Panorama
      and
      Commit
      your changes.
    4. Verify that the Device State for each firewall is Connected.
      HA_pair_connected.png
  5. Import each firewall configuration into Panorama.
    If you later decide to re-import a firewall configuration, first remove the firewall device groups and template to which it is a member. If the device group and template names are the same as the firewall hostname, then you can delete the device group and template before re-importing the firewall configuration or use the
    Device Group Name Prefix
    fields to enter a new name for the device group and template created by the re-import. Additionally, firewalls don’t lose logs when you remove them from device groups or templates.
    1. From Panorama, select
      Panorama
      Setup
      Operations
      , click
      Import device configuration to Panorama
      , and select the
      Device
      .
      Panorama can’t import a configuration from a firewall that is assigned to an existing device group or template stack.
    2. (
      Optional
      ) Edit the
      Template Name
      . The default value is the firewall name. You can’t use the name of an existing template or template stack.
    3. (
      Optional
      ) Edit the
      Device Group
      names. For a multi-vsys firewall, each device group has a vsys name by default, so add a character string as a Device Group Name Prefix for each. Otherwise, the default value is the firewall name. You can’t use the names of existing device groups.
      The
      Imported devices’ shared objects into Panorama’s shared context
      check box is selected by default, which means Panorama compares imports objects that belong to the Shared location in the firewall to Shared in Panorama. If an imported object is not in the Shared context of the firewall, it is applied to each device group being imported. If you clear the check box, Panorama copies will not compare imported objects, and apply all shared firewall objects into device groups being imported instead of Shared. This could create duplicate objects, so selecting the check box is a best practice in most cases. To understand the consequences of importing shared or duplicate objects into Panorama, see Plan how to manage shared settings.
    4. Commit to Panorama
      .
    5. Select
      Panorama
      Setup
      Operations
      and
      Export or push device config bundle
      . Select the
      Device
      , select
      OK
      and
      Push & Commit
      the configuration.
      The Enable Config Sync setting in Step 2 must be cleared on both firewalls before you push the device group and template stack.
    6. Launch the Web Interface of firewall HA peer and ensure that the configuration has been successfully committed. If not,
      Commit
      the changes locally on the firewall.
    7. On Panorama, select
      Panorama
      Managed Devices
      Summary
      , and verify that the device group and template stack are in sync for the passive firewall. Verify policy rules, objects and network settings on the passive firewall match the active firewall. On the firewall web interface, verify that configuration objects display a green cog ( icon_template_variable.png ), signifying that the configuration object is pushed from Panorama.
    8. Commit to Panorama
      .
    9. Repeat Step 1-8 above on the second firewall. The process will create a device group and template stack for the firewall.
    10. Select
      Commit
      Commit to Panorama
      and
      Commit
      your changes.
  6. Add the HA firewall pair into the same device group and template stack.
    Skip this step if the HA firewall pair are in an active/active configuration.
    Do not combine the HA firewall pair in to a single template if a unique Hostname, management IP address, or HA configuration is configured for each HA peer. You may also configure a unique Hostname, management IP address, or HA configuration locally on the firewalls.
    1. Select
      Panorama
      Device Group
      , select the device group of the second firewall and
      Delete
      it.
    2. Select the device group for the first firewall, select the second firewall, click
      OK
      and
      Commit to Panorama
      to add it to the same device group as the HA peer.
    3. Select
      Panorama
      Templates
      , select the template stack for the second firewall and
      Delete
      it.
    4. Select the template stack for the first firewall, add the second firewall, select
      OK
      and
      Commit to Panorama
      to add it to the same template stack as the HA peer.
    5. If you add the HA peers to the same template stack, Configure a Template or Template Stack Variable to preserve the firewall-specific HA configurations.
      If you do not want to manage the firewall HA configuration from Panorama, delete the firewall HA configuration from the template or template stack, Launch the Web Interface of each firewall HA peer and configure the HA IP address locally.
    6. Select
      Commit
      and
      Commit and Push
      the configuration changes.
    7. Select
      Panorama
      Managed Devices
      Summary
      , and verify that the device group and template are in sync for the passive firewall. Verify policy rules, objects and network settings on the passive firewall match the active firewall.
  7. Enable configuration synchronization between the HA peers.
    Repeat these steps for both firewalls in the HA pair if you plan on maintaining a local configuration that needs to be synchronized.
    1. Log in to the web interface on each firewall, select
      Device
      High Availability
      General
      and edit the Setup section.
    2. Select
      Enable Config Sync
      and click
      OK
      .
    3. Commit
      the configuration changes on each firewall.

Related Documentation