Migrate a Firewall HA Pair to Panorama Management
Procedure for migrating a firewall HA pair, active/active
or active/passive, to Panorama management in Panorama 9.0.
If you have a pair of firewalls in an HA configuration
that you want to manage using Panorama, you have the option to import
the configuration local to your firewall HA pair to Panorama without
needing to recreate any configurations or policies. You first import
the firewall configurations to Panorama, which are used to create
a new device group and template. You will perform a special configuration
push of the device group and template to the firewalls to overwrite
the local firewall configurations and synchronize the firewalls
with Panorama.
- Plan the migration.See the checklist in Plan the Transition to Panorama Management.
- Disable configuration synchronization between the HA peers.Repeat these steps for both firewalls in the HA pair.
- Log in to the web interface on each firewall, select and edit the Setup section.
- ClearEnable Config Syncand clickOK.
- Committhe configuration changes on each firewall.
- Connect each firewall to Panorama.If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 5.Repeat these steps for both firewalls in the HA pair.
- Log in to the web interface on each firewall, select and edit the Panorama Settings.
- In thePanorama Serversfields, enter the IP addresses of the Panorama management servers, confirmPanorama Policy and ObjectsandDevice and Network Templateare enabled and selectOK.
- Committhe configuration changes on each firewall.
- Add each firewall as a managed device.If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 5.
- Log in to the Panorama Web Interface, select and clickAdd.
- Enter the serial number of each firewall and clickOK.
- Select andCommityour changes.
- Verify that the Device State for each firewall is Connected.
- Import each firewall configuration into Panorama.Do no push any device group or template stack configuration to your managed firewalls in this step. Pushing the device group and template stack configuration during this step wipes the local firewall HA configuration in the next steps.If you later decide to re-import a firewall configuration, first remove the firewall device groups and template to which it is a member. If the device group and template names are the same as the firewall hostname, then you can delete the device group and template before re-importing the firewall configuration or use theDevice Group Name Prefixfields to enter a new name for the device group and template created by the re-import. Additionally, firewalls don’t lose logs when you remove them from device groups or templates.
- From Panorama, select , clickImport device configuration to Panorama, and select theDevice.Panorama can’t import a configuration from a firewall that is assigned to an existing device group or template stack.
- (Optional) Edit theTemplate Name. The default value is the firewall name. You can’t use the name of an existing template or template stack.
- (Optional) Edit theDevice Groupnames. For a multi-vsys firewall, each device group has a vsys name by default, so add a character string as a Device Group Name Prefix for each. Otherwise, the default value is the firewall name. You can’t use the names of existing device groups.TheImported devices’ shared objects into Panorama’s shared contextcheck box is selected by default, which means Panorama compares imports objects that belong to the Shared location in the firewall to Shared in Panorama. If an imported object is not in the Shared context of the firewall, it is applied to each device group being imported. If you clear the check box, Panorama copies will not compare imported objects, and apply all shared firewall objects into device groups being imported instead of Shared. This could create duplicate objects, so selecting the check box is a best practice in most cases. To understand the consequences of importing shared or duplicate objects into Panorama, see Plan how to manage shared settings.
- Commit to Panorama.
- Select andExport or push device config bundle. Select theDevice, selectOKandPush & Committhe configuration.The Enable Config Sync setting in Step 2 must be cleared on both firewalls before you push the device group and template stack.
- Launch the Web Interface of the firewall HA peer and ensure that the configuration pushed in the previous step committed successfully. If not,Committhe changes locally on the firewall.
- Add the HA firewall pair into the same device group and template stack.(Firewalls in active/active configuration) It is recommended to add HA peers to the same device group but not to the same template stack because firewalls in an active/active HA configuration typically need unique network configurations. This simplifies policy management for the HA peers while reducing the operational burden of managing the network configuration of each HA peer when their network configurations are independent of each other. For example, firewalls in an active/active HA configuration often times need unique network configurations, such as unique floating IP that are used as the default gateway for hosts.Ultimately, deciding whether to add firewalls in an active/active HA configuration to the same device group and template stack is a design decision you must make when designing your configuration hierarchy.
- Select , select the device group of the second firewall, and remove the second firewall from the device group.
- Select the device group from which you removed the second firewall andDeleteit.
- Select the device group for the first firewall, select the second firewall, clickOKandCommit to Panoramato add it to the same device group as the HA peer.
- Select , select the template stack of the second firewall, and remove the second firewall from the template stack.
- Select the template stack from which you removed the second firewall andDeleteit.
- Select the template stack for the first firewall, add the second firewall, selectOKandCommit to Panoramato add it to the same template stack as the HA peer.
- Remove the HA settings in the template associated with the newly migrated firewalls.
- Select and select theTemplatecontaining the HA configuration.
- SelectRemove All.
- Commit to Panorama.
- Push the device group and template stack configurations to your managed firewalls.Pushing the imported firewall configuration from Panorama to remove local firewall configuration updatesPolicyruleCreationandModifieddates to reflect the date you pushed to your newly managed firewalls when you monitor policy rule usage for a managed firewall. Additionally, a new universially unique identifier (UUID) for each policy rule is created.First push the device group and template stack configuration to your passive HA peer and then to the active HA peer.
- Select andEdit Selections.
- Enable (select)Merge Device Candidate Config,Include Device and Network Templates, andForce Template Values.
- ClickOK.
- Pushto your managed firewalls.
- Launch the Web Interface of the active HA peer and select toSuspend local device.Fail over to the passive HA peer before modifying the active HA peer to maintain your security posture while completing the configuration migration.
- Launch the Web Interface of the now active HA peer and select toSuspend local device.This restores the original active/passive HA peer roles.
- Select , and verify that the device group and template are in sync for the passive firewall. Verify policy rules, objects and network settings on the passive firewall match the active firewall.
- Enable configuration synchronization between the HA peers.Repeat these steps for both firewalls in the HA pair if you plan on maintaining a local configuration that needs to be synchronized.
- Log in to the web interface on each firewall, select and edit the Setup section.
- SelectEnable Config Syncand clickOK.
- Committhe configuration changes on each firewall.
