Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration

1. Plan the migration.

   See the checklist in Plan the Transition to Panorama Management.
2. Disable configuration synchronization between the HA peers.

   Repeat these steps for both firewalls in the HA pair.

   1. Log in to the web interface on each firewall, select DeviceHigh AvailabilityGeneral and edit the Setup section.
   2. Clear Enable Config Sync and click OK.
   3. Commit the configuration changes on each firewall.
3. Add your HA firewalls to Panorama management.

   Confirm that Panorama Policy and Objects and Device and Network Template are enabled.

   If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 7.
4. Log in to the Panorama web interface and select PanoramaManaged DevicesSummary and verify the Device State for each firewall is Connected.
5. Import each firewall configuration into Panorama.

   Do no push any device group or template stack configuration to your managed firewalls in this step. Pushing the device group and template stack configuration during this step wipes the local firewall HA configuration in the next steps.

   If you later decide to re-import a firewall configuration, first remove the firewall device groups and template to which it is a member. If the device group and template names are the same as the firewall hostname, then you can delete the device group and template before re-importing the firewall configuration or use the Device Group Name Prefix fields to enter a new name for the device group and template created by the re-import. Additionally, firewalls don’t lose logs when you remove them from device groups or templates.

   1. From Panorama, select PanoramaSetupOperations, click Import device configuration to Panorama, and select the Device.

      Panorama can’t import a configuration from a firewall that is assigned to an existing device group or template stack.
   2. (Optional) Edit the Template Name. The default value is the firewall name. You can’t use the name of an existing template or template stack.
   3. (Optional) Edit the Device Group names. For a multi-vsys firewall, each device group has a vsys name by default, so add a character string as a Device Group Name Prefix for each. Otherwise, the default value is the firewall name. You can’t use the names of existing device groups.

      The Imported devices’ shared objects into Panorama’s shared context check box is selected by default, which means Panorama compares imports objects that belong to the Shared location in the firewall to Shared in Panorama. If an imported object is not in the Shared context of the firewall, it is applied to each device group being imported. If you clear the check box, Panorama copies will not compare imported objects, and apply all shared firewall objects into device groups being imported instead of Shared. This could create duplicate objects, so selecting the check box is a best practice in most cases. To understand the consequences of importing shared or duplicate objects into Panorama, see Plan how to manage shared settings.
   4. Commit to Panorama.
   5. Select PanoramaSetupOperations and Export or push device config bundle. Select the Device, select OK and Push & Commit the configuration.

      The Enable Config Sync setting in Step 2 must be cleared on both firewalls before you push the device group and template stack.
   6. Launch the Web Interface of the firewall HA peer and ensure that the configuration pushed in the previous step committed successfully. If not, Commit the changes locally on the firewall.
   7. Repeat Step 1-6 above on the second firewall. The process creates a device group and template stack per each firewall.
6. Add the HA firewall pair into the same device group and template stack.

   (Firewalls in active/active configuration) It is recommended to add HA peers to the same device group but not to the same template stack because firewalls in an active/active HA configuration typically need unique network configurations. This simplifies policy management for the HA peers while reducing the operational burden of managing the network configuration of each HA peer when their network configurations are independent of each other. For example, firewalls in an active/active HA configuration often times need unique network configurations, such as unique floating IP that are used as the default gateway for hosts.

   Ultimately, deciding whether to add firewalls in an active/active HA configuration to the same device group and template stack is a design decision you must make when designing your configuration hierarchy.

   1. Select PanoramaDevice Group, select the device group of the second firewall, and remove the second firewall from the device group.
   2. Select the device group from which you removed the second firewall and Delete it.
   3. Select the device group for the first firewall, select the second firewall, click OK and Commit to Panorama to add it to the same device group as the HA peer.
   4. Select PanoramaTemplates, select the template stack of the second firewall, and remove the second firewall from the template stack.
   5. Select the template stack from which you removed the second firewall and Delete it.
   6. Select the template stack for the first firewall, add the second firewall, select OK and Commit to Panorama to add it to the same template stack as the HA peer.
   7. (Optional) Remove the HA settings in the template associated with the newly migrated firewalls.

      You can manage the firewall HA configuration from Panorama or configure the HA settings locally on the managed firewalls.

      Skip this step if you want to manage the firewall HA settings from Panorama.

      1. Select DeviceHigh Availability and select the Template containing the HA configuration.
      2. Select Remove All.
      3. Commit to Panorama.
   8. Select PanoramaManaged DevicesSummary, and verify that the device group and template are in sync for the passive firewall. Verify policy rules, objects and network settings on the passive firewall match the active firewall.
7. Push the device group and template stack configuration changes to your managed firewalls.

   You must first push the device group and template stack configuration to your passive or Active-Secondary HA peer first and then to the active or Active-Primary HA peer.

   Pushing the imported firewall configuration from Panorama to remove local firewall configuration updates Policy rule Creation and Modified dates to reflect the date you pushed to your newly managed firewalls when you monitor policy rule usage for a managed firewall. Additionally, a new universially unique identifier (UUID) for each policy rule is created.

   1. Log into the firewall web interface of the Passive or Active-Secondary HA peer and select DeviceHigh AvailabilityOperational Commands to Suspend local device for high availability.
   2. Push the Panorama managed configuration to the suspended HA firewall.

      1. Log in to the Panorama web interface.
      2. Select Commit Push to Devices and Edit Selections.
      3. Enable (select) Merge Device Candidate Config and Include Device and Network Templates.
         (Panorama-managed HA configuration) Enable (select) Force Template Values.
      4. In Device Groups and Templates, select the suspended HA firewall.
      5. Click OK and Push.
   3. In the firewall web interface of the suspended passive or Active-Secondary HA peer and select DeviceHigh AvailabilityOperational Commands to Make local device functional for high availability.
   4. Log into the firewall web interface of the active or Active-Primary HA peer and select DeviceHigh AvailabilityOperational Commands to Suspend local device for high availability.
   5. Repeat Step 2 to push the Panorama managed configuration to the suspended HA peer.
   6. Log into the firewall web interface of the suspended active or Active-Primary HA peer and select DeviceHigh AvailabilityOperational Commands to Make local device functional for high availability.
   7. In the Panorama web interface, select PanoramaManaged DevicesSummary, and verify that the device group and template are in sync for HA firewalls. Verify policy rules, objects and network settings on the passive firewall match the active firewall.
8. (Local firewall HA configuration only) Enable configuration synchronization between the HA peers.

   Repeat these steps for both firewalls in the HA pair if you plan on maintaining a local configuration that needs to be synchronized.

   Skip this step if managing the firewall HA configuration from Panorama. This setting is enabled by default.

   1. Log in to the web interface of each HA peer, select DeviceHigh AvailabilityGeneral and edit the Setup section.
   2. Select Enable Config Sync and click OK.
   3. Commit the configuration changes on each firewall.