Load a Partial Firewall Configuration into Panorama
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute User-ID Information to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Configure Basic WildFire Appliance Settings on Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Restore an Expired Device Certificate
- Downgrade from Panorama 9.1
End-of-Life (EoL)
Load a Partial Firewall Configuration into Panorama
If some configuration settings on a firewall
are common to other firewalls, you can load those specific settings
into Panorama and then push them to all the other firewalls or to
the firewalls in particular device groups and templates.
Loading
a configuration into a Panorama management server requires a full
commit and must be performed by a superuser.
Full commits are required when performing certain Panorama operations,
such as reverting and loading a configuration snapshot, and are
not supported for custom Admin Role profiles.
- Plan the transition to Panorama.See the checklist in Plan the Transition to Panorama Management.
- Resolve
how to manage duplicate settings, which are those that have the
same names in Panorama as in a firewall.Before you load a partial firewall configuration, Panorama and that firewall might already have duplicate settings. Loading a firewall configuration might also add settings to Panorama that are duplicates of settings in other managed firewalls.If Panorama has policy rules or objects with the same names as those on a firewall, a commit failure will occur when you try to push device group settings to that firewall. If Panorama has template settings with the same names as those on a firewall, the template values will override the firewall values when you push the template.
- On Panorama, perform a global find to determine if duplicate settings exist.
- Delete or rename the duplicate settings on the firewall if you will use Panorama to manage them, or delete or rename the duplicate settings on Panorama if you will use the firewall to manage them. If you will use the firewall to manage device or network settings, instead of deleting or renaming the duplicates on Panorama, you can also push the settings from Panorama (Step 6) and then Override a Template or Template Stack Value on the firewall with firewall-specific values.
- Export the entire firewall configuration to your local
computer.
- On the firewall, select DeviceSetupOperations.
- Click Save named configuration snapshot, enter a Name to identify the configuration, and click OK.
- Click Export named configuration snapshot, select the Name of the configuration you just saved, and click OK. The firewall exports the configuration as an XML file.
- Import the firewall configuration snapshot into Panorama.
- On Panorama, select PanoramaSetupOperations.
- Click Import named Panorama configuration
snapshot, Browse to the firewall
configuration file you exported to your computer, and click OK.After using this option to import a firewall configuration file, you can’t use the Panorama web interface to load it. You must use the XML API or CLI, as described in the next step.
- Load the desired part of the firewall configuration into
Panorama.To specify a part of the configuration (for example, all application objects), you must identify the:
- Source xpath—The XML node in the firewall configuration file from which you are loading.
- Destination xpath—The node in the Panorama configuration to which you are loading.
- Use the firewall XML API or CLI to identify
the source xpath.For example, the xpath for application objects in vsys1 of the firewall is:
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application
- Use the Panorama XML API or CLI to identify the destination
xpath.For example, to load application objects into a device group named US-West, the xpath is:
/config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application
- Use the Panorama CLI to load the configuration and
commit the change:
# load config partial mode [append|merge|replace] from-xpath <source-xpath> to-xpath <destination-xpath> from <filename> # commit
For example, enter the following to load the application objects from vsys1 on an imported firewall configuration named fw1-config.xml into a device group named US-West on Panorama:# load config partial mode merge from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application from fw1-config.xml # commit
- Push the
partial configuration from Panorama to the firewall to complete
the transition to centralized management.
- On the firewall, delete any rules or objects that have the same names as those in Panorama. If the device group for that firewall has other firewalls with rules or objects that are duplicated in Panorama, perform this step on those firewalls also. For details, see Step 2.
- On Panorama, push the partial configuration to the
firewall.
- Select CommitCommit and Push and Edit Selections in the Push Scope.
- Select Device Groups and select the device groups that contain the imported firewall configurations.
- Select Merge with Device Candidate Config, Include Device and Network Templates, and Force Template Values.
- Click OK to save your changes to the Push Scope.
- Commit and Push your changes.
- If the firewall has a device or network setting that you won’t use Panorama to manage, Override a Template or Template Stack Value on the firewall.
- Perform your post-migration test plan.Perform the verification tasks that you devised during the migration planning to confirm that the firewall works as efficiently with the Panorama-pushed configuration as it did with its original local configuration: see Create a post-migration test plan.