Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
Table of Contents
11.1 & Later
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
- Install the Device Certificate for a Dedicated Log Collector
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-500 Appliance to an M-700 Appliance
- Migrate from an M-600 Appliance to an M-700 Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Admin Role Profile for Selective Push to Managed Firewalls
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
- Enable SCP Uploads for an Administrator
- Configure Tracking of Administrator Activity
-
- Add a Firewall as a Managed Device
- Change Between Panorama Management and Cloud Management
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Device Group Push to a Multi-VSYS Firewall
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Schedule a Configuration Push to Managed Firewalls
- Redistribute Data to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Configure a Managed Collector
- Monitor Managed Collector Health Status
- Configure Log Forwarding to Panorama
- Configure Syslog Forwarding to External Destinations
- Forward Logs to Strata Logging Service
- Verify Log Forwarding to Panorama
- Modify Log Forwarding and Buffering Defaults
- Configure Log Forwarding from Panorama to External Destinations
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
-
-
- Preview, Validate, or Commit Configuration Changes
- Commit Selective Configuration Changes for Managed Devices
- Push Selective Configuration Changes to Managed Devices
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- View Task Success or Failure Status
- Generate a Stats Dump File for a Managed Firewall
- Recover Managed Device Connectivity to Panorama
- Restore an Expired Device Certificate
Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
Migrate a firewall HA pair in an active/active or active/passive configuration to
Panorama™ management and reuse the existing firewall configuration.
If you have a pair of firewalls in an HA configuration that you want to manage using
Panorama, you have the option to import the configuration local to your firewall HA
pair to Panorama without needing to recreate any configurations or policies. This
allows you to reuse the existing firewall configuration. You first import the
firewall configurations to Panorama, which are used to create a new device group and
template. You will perform a special configuration push of the device group and
template to the firewalls to overwrite the local firewall configurations and
synchronize the firewalls with Panorama.
To migrate a firewall HA pair to Panorama management and create a new configuration,
see Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration.
Panorama can import configurations from firewalls that run PAN-OS 5.0 or later
releases and can push configurations to those firewalls. The exception is that
Panorama 6.1 and later releases cannot push configurations to firewalls running
PAN-OS 6.0.0 through 6.0.3.
Panorama can import configurations from firewalls that are already managed
devices but only if they are not already assigned to device groups or
templates.
- Plan the migration.See the checklist in Plan the Transition to Panorama Management.Disable configuration synchronization between the HA peers.Repeat these steps for both firewalls in the HA pair.
- Log in to the web interface on each firewall, select DeviceHigh AvailabilityGeneral and edit the Setup section.Clear Enable Config Sync and click OK.Commit the configuration changes on each firewall.Add your HA firewalls to Panorama management.Confirm that Panorama Policy and Objects and Device and Network Template are enabled.If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 7.Log in to the Panorama web interface and select PanoramaManaged DevicesSummary and verify the Device State for each firewall is Connected.Import each firewall configuration into Panorama.Do no push any device group or template stack configuration to your managed firewalls in this step. Pushing the device group and template stack configuration during this step wipes the local firewall HA configuration in the next steps.If you later decide to re-import a firewall configuration, first remove the firewall device groups and template to which it is a member. If the device group and template names are the same as the firewall hostname, then you can delete the device group and template before re-importing the firewall configuration or use the Device Group Name Prefix fields to enter a new name for the device group and template created by the re-import. Additionally, firewalls don’t lose logs when you remove them from device groups or templates.
- From Panorama, select PanoramaSetupOperations, click Import device configuration to Panorama, and select the Device.Panorama can’t import a configuration from a firewall that is assigned to an existing device group or template stack.(Optional) Edit the Template Name. The default value is the firewall name. You can’t use the name of an existing template or template stack.(Optional) Edit the Device Group names. For a multi-vsys firewall, each device group has a vsys name by default, so add a character string as a Device Group Name Prefix for each. Otherwise, the default value is the firewall name. You can’t use the names of existing device groups.The Imported devices’ shared objects into Panorama’s shared context check box is selected by default, which means Panorama compares imports objects that belong to the Shared location in the firewall to Shared in Panorama. If an imported object is not in the Shared context of the firewall, it is applied to each device group being imported. If you clear the check box, Panorama copies will not compare imported objects, and apply all shared firewall objects into device groups being imported instead of Shared. This could create duplicate objects, so selecting the check box is a best practice in most cases. To understand the consequences of importing shared or duplicate objects into Panorama, see Plan how to manage shared settings.Commit to Panorama.Select PanoramaSetupOperations and Export or push device config bundle. Select the Device, select OK and Push & Commit the configuration.The Enable Config Sync setting in Step 2 must be cleared on both firewalls before you push the device group and template stack.Launch the Web Interface of the firewall HA peer and ensure that the configuration pushed in the previous step committed successfully. If not, Commit the changes locally on the firewall.Repeat Step 1-6 above on the second firewall. The process creates a device group and template stack per each firewall.Add the HA firewall pair into the same device group and template stack.(Firewalls in active/active configuration) It is recommended to add HA peers to the same device group but not to the same template stack because firewalls in an active/active HA configuration typically need unique network configurations. This simplifies policy management for the HA peers while reducing the operational burden of managing the network configuration of each HA peer when their network configurations are independent of each other. For example, firewalls in an active/active HA configuration often times need unique network configurations, such as unique floating IP that are used as the default gateway for hosts.Ultimately, deciding whether to add firewalls in an active/active HA configuration to the same device group and template stack is a design decision you must make when designing your configuration hierarchy.
- Select PanoramaDevice Group, select the device group of the second firewall, and remove the second firewall from the device group.Select the device group from which you removed the second firewall and Delete it.Select the device group for the first firewall, select the second firewall, click OK and Commit to Panorama to add it to the same device group as the HA peer.Select PanoramaTemplates, select the template stack of the second firewall, and remove the second firewall from the template stack.Select the template stack from which you removed the second firewall and Delete it.Select the template stack for the first firewall, add the second firewall, select OK and Commit to Panorama to add it to the same template stack as the HA peer.(Optional) Remove the HA settings in the template associated with the newly migrated firewalls.You can manage the firewall HA configuration from Panorama or configure the HA settings locally on the managed firewalls.Skip this step if you want to manage the firewall HA settings from Panorama.
- Select DeviceHigh Availability and select the Template containing the HA configuration.
- Select Remove All.
- Commit to Panorama.
Select PanoramaManaged DevicesSummary, and verify that the device group and template are in sync for the passive firewall. Verify policy rules, objects and network settings on the passive firewall match the active firewall.Push the device group and template stack configuration changes to your managed firewalls.You must first push the device group and template stack configuration to your passive or Active-Secondary HA peer first and then to the active or Active-Primary HA peer.Pushing the imported firewall configuration from Panorama to remove local firewall configuration updates Policy rule Creation and Modified dates to reflect the date you pushed to your newly managed firewalls when you monitor policy rule usage for a managed firewall. Additionally, a new universially unique identifier (UUID) for each policy rule is created.- Log into the firewall web interface of the Passive or Active-Secondary HA peer and select DeviceHigh AvailabilityOperational Commands to Suspend local device for high availability.Push the Panorama managed configuration to the suspended HA firewall.
- Select Commit Push to Devices and Edit Selections.
- Enable (select) Merge Device Candidate Config and Include Device and Network Templates.(Panorama-managed HA configuration) Enable (select) Force Template Values.
- In Device Groups and Templates, select the suspended HA firewall.
- Click OK and Push.
In the firewall web interface of the suspended passive or Active-Secondary HA peer and select DeviceHigh AvailabilityOperational Commands to Make local device functional for high availability.Log into the firewall web interface of the active or Active-Primary HA peer and select DeviceHigh AvailabilityOperational Commands to Suspend local device for high availability.Repeat Step 2 to push the Panorama managed configuration to the suspended HA peer.Log into the firewall web interface of the suspended active or Active-Primary HA peer and select DeviceHigh AvailabilityOperational Commands to Make local device functional for high availability.In the Panorama web interface, select PanoramaManaged DevicesSummary, and verify that the device group and template are in sync for HA firewalls. Verify policy rules, objects and network settings on the passive firewall match the active firewall.(Local firewall HA configuration only) Enable configuration synchronization between the HA peers.Repeat these steps for both firewalls in the HA pair if you plan on maintaining a local configuration that needs to be synchronized.Skip this step if managing the firewall HA configuration from Panorama. This setting is enabled by default.- Log in to the web interface of each HA peer, select DeviceHigh AvailabilityGeneral and edit the Setup section.Select Enable Config Sync and click OK.Commit the configuration changes on each firewall.