: Load a Partial Firewall Configuration into Panorama
Focus
Focus

Load a Partial Firewall Configuration into Panorama

Table of Contents

Load a Partial Firewall Configuration into Panorama

If some configuration settings on a firewall are common to other firewalls, you can load those specific settings into Panorama and then push them to all the other firewalls or to the firewalls in particular device groups and templates.
Loading a configuration into a Panorama management server requires a full commit and must be performed by a superuser. Full commits are required when performing certain Panorama operations, such as reverting and loading a configuration snapshot, and are not supported for custom Admin Role profiles.
  1. Plan the transition to Panorama.
  2. Resolve how to manage duplicate settings, which are those that have the same names in Panorama as in a firewall.
    Before you load a partial firewall configuration, Panorama and that firewall might already have duplicate settings. Loading a firewall configuration might also add settings to Panorama that are duplicates of settings in other managed firewalls.
    If Panorama has policy rules or objects with the same names as those on a firewall, a commit failure will occur when you try to push device group settings to that firewall. If Panorama has template settings with the same names as those on a firewall, the template values will override the firewall values when you push the template.
    1. On Panorama, perform a global find to determine if duplicate settings exist.
    2. Delete or rename the duplicate settings on the firewall if you will use Panorama to manage them, or delete or rename the duplicate settings on Panorama if you will use the firewall to manage them. If you will use the firewall to manage device or network settings, instead of deleting or renaming the duplicates on Panorama, you can also push the settings from Panorama (Step 6) and then Override a Template or Template Stack Value on the firewall with firewall-specific values.
  3. Export the entire firewall configuration to your local computer.
    1. On the firewall, select DeviceSetupOperations.
    2. Click Save named configuration snapshot, enter a Name to identify the configuration, and click OK.
    3. Click Export named configuration snapshot, select the Name of the configuration you just saved, and click OK. The firewall exports the configuration as an XML file.
  4. Import the firewall configuration snapshot into Panorama.
    1. On Panorama, select PanoramaSetupOperations.
    2. Click Import named Panorama configuration snapshot, Browse to the firewall configuration file you exported to your computer, and click OK.
      After using this option to import a firewall configuration file, you can’t use the Panorama web interface to load it. You must use the XML API or CLI, as described in the next step.
  5. Load the desired part of the firewall configuration into Panorama.
    To specify a part of the configuration (for example, all application objects), you must identify the:
    • Source xpath—The XML node in the firewall configuration file from which you are loading.
    • Destination xpath—The node in the Panorama configuration to which you are loading.
    1. Use the firewall XML API or CLI to identify the source xpath.
      For example, the xpath for application objects in vsys1 of the firewall is:
      /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application
    2. Use the Panorama XML API or CLI to identify the destination xpath.
      For example, to load application objects into a device group named US-West, the xpath is:
      /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application
    3. Use the Panorama CLI to load the configuration and commit the change:
      # load config partial mode [append|merge|replace] from-xpath <source-xpath> to-xpath <destination-xpath> from <filename> 
      # commit 
      For example, enter the following to load the application objects from vsys1 on an imported firewall configuration named fw1-config.xml into a device group named US-West on Panorama:
      # load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application from fw1-config.xml 
      # commit 
  6. Push the partial configuration from Panorama to the firewall to complete the transition to centralized management.
    1. On the firewall, delete any rules or objects that have the same names as those in Panorama. If the device group for that firewall has other firewalls with rules or objects that are duplicated in Panorama, perform this step on those firewalls also. For details, see Step 2.
    2. On Panorama, push the partial configuration to the firewall.
      1. Select CommitCommit and Push and Edit Selections in the Push Scope.
      2. Select Device Groups and select the device groups that contain the imported firewall configurations.
      3. Select Merge with Device Candidate Config, Include Device and Network Templates, and Force Template Values.
      4. Click OK to save your changes to the Push Scope.
      5. Commit and Push your changes.
    3. If the firewall has a device or network setting that you won’t use Panorama to manage, Override a Template or Template Stack Value on the firewall.
  7. Perform your post-migration test plan.
    Perform the verification tasks that you devised during the migration planning to confirm that the firewall works as efficiently with the Panorama-pushed configuration as it did with its original local configuration: see Create a post-migration test plan.