Panorama Administrator's Guide
    : Migrate a Firewall to Panorama Management and Push a New Configuration
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage Firewalls
    5. Transition a Firewall to Panorama Management
    6. Migrate a Firewall to Panorama Management and Push a New Configuration
    Download PDF

    Panorama Administrator's Guide

    Migrate a Firewall to Panorama Management and Push a New Configuration

    Table of Contents

    Migrate a Firewall to Panorama Management and Push a New Configuration

    Migrate a firewall to Panorama™ management and create new templates and device groups to manage the firewall configuration.
    This procedure overwrites the local firewall configuration with the configuration pushed from Panorama.
    Migrate a firewall to Panorama management and create a new Panorama-managed configuration using device groups and template stacks.
    When you perform the following steps, Panorama imports the entire firewall configuration. Alternatively, you can Load a Partial Firewall Configuration into Panorama.
    To migrate a firewall to Panorama management and reuse the existing configuration, see Migrate a Firewall to Panorama Management and Reuse Existing Configuration. To migrate a firewall HA pair to Panorama management, see Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration.
    Panorama can import configurations from firewalls that run PAN-OS 5.0 or later releases and can push configurations to those firewalls. The exception is that Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0 through 6.0.3.
    Panorama can import configurations from firewalls that are already managed devices but only if they are not already assigned to device groups or templates.
    1. Plan the migration.
      See the checklist in Plan the Transition to Panorama Management.
    2. Add the firewall as a managed device.
      See Add a Firewall as a Managed Device for more information on adding a firewall to Panorama management.
      1. Log in to the Panorama Web Interface
      2. Select PanoramaDevice Registration Auth Key and Add a new authentication key.
        Copy Auth Key after you successfully create the device registration authentication key.
      3. Select PanoramaManaged DevicesSummary to Add a firewall as a managed device.
      4. Enter the serial number of the firewall and click OK.
        To add multiple firewalls at the same time, enter the serial number of each one on a separate line.
      5. Select CommitCommit to Panorama and Commit your changes.
    3. Set up a connection from the firewall to Panorama.
      1. Log in to the firewall web interface
      2. Select DeviceSetupManagement and edit the Panorama Settings.
      3. In the Panorama Servers fields, enter the IP addresses of the Panorama management server.
      4. Paste the Auth Key you copied in the previous step.
      5. Click OK and Commit.
    4. On the Panorama web interface, select PanoramaManaged DevicesSummary and verify that the Device State is Connected.
    5. Add a Device Group.
      Repeat this step to create as many device groups as needed to logically group your firewall configurations. Device groups are required to manage device group objects and policies. Learn more about how to manage your device groups.
    6. Create a template and template stack.
      Templates and template stacks are used to configure the firewall Network and Device settings that enable firewall to operate on the network.
      1. Add a Template.
        Repeat this step to create as many templates as needed to define your required networking configurations.
      2. Configure a Template Stack.
        Repeat this step to create as many template stacks as needed to quickly apply your defined networking configurations. When you create a template stack, assign the relevant templates and managed firewalls.
    7. Configure the device groups, templates, and template stacks as needed.
    8. Push the device group and template configurations to complete the transition to centralized management.
      1. Select CommitCommit and Push.
      2. (Optional) Click Edit Selections to modify the Push Scope.
        • Merge with Device Candidate Config—This setting is enabled by default and merges any pending local firewall configurations with the configuration push from Panorama. The local firewall configuration is merged and committed regardless of the admin pushing the changes from Panorama or the admin who made the local firewall configuration changes.
          Disable this setting if you manage and commit local firewall configuration changes independently of the Panorama managed configuration.
        • Force Template Values—Overwrites any local firewall configurations with those in the template stack configuration pushed from Panorama in the event of conflicting values.
          This setting is enabled by default. Enable this setting to overwrite any conflicting firewall configurations with those defined in the template or template stack. Before enabling this setting, review any overridden values to ensure an outage does not occur.
        Click OK to save your changes to the Push Scope.
      3. Commit and Push your changes.
    9. Select PanoramaManaged DevicesSummary and verify that the Shared Policy and Template status is In Sync for the newly added firewalls.
      On the firewall web interface, verify that configuration objects display a green cog, signifying that the configuration object is pushed from Panorama.
    10. Perform your post-migration test plan.
      Perform the verification tasks that you devised during the migration planning to confirm that the firewalls work as efficiently with the Panorama-pushed configuration as they did with their original local configuration: see Create a post-migration test plan.

    © 2024 Palo Alto Networks, Inc. All rights reserved.