Focus

Panorama Administrator's Guide

Localize a Panorama Pushed Configuration on a Managed Firewall

Table of Contents

Localize a Panorama Pushed Configuration on a Managed Firewall

Localize the template and device group configuration pushed from a Panorama™ management server on a managed firewall.

You can localize the template and device group configurations pushed from the Panorama™ management server to:

Remove the firewall from Panorama management.
Migrate firewall management to a different Panorama.
In the case of an emergency where Panorama isn’t accessible, ensure that administrators can modify the managed firewall configuration locally.

Launch the web interface of the managed firewall as an administrator with the Superuser role. You can directly access the firewall by entering its IP address in the browser URL field or, in Panorama, select the firewall in the Context drop-down.
(Best Practice) Select DeviceSetupOperations and Export device state.
Save a copy of the firewall system state, including device group and template settings pushed from Panorama, in the event you need to reload a known working configuration on the managed firewall.
(Active/passive HA only) Disable configuration synchronization for firewalls in an active/passive high availability (HA) configuration.

Repeat this step on each firewall HA peer. This is required to prevent duplication of objects on the passive HA peer that results in local commit failures.
1. Log in to the firewall web interface of one of the HA peers.
2. Select DeviceHigh AvailabilityGeneral and edit the HA pair Settings Setup.
3. Disable (uncheck) Enable Config Sync and click OK.
4. Select Commit and Commit your changes.
Disable the template configuration to stop using template and template stacks to manage the network configuration objects of the managed firewall.
1. Select DeviceSetupManagement and edit the Panorama Settings.
2. Click Disable Device and Network Template.
3. (Optional) Select Import Device and Network Template before disabling to save the template configuration settings locally on the firewall. If you don’t select this option, PAN-OS deletes all Panorama-pushed settings from the firewall.
4. Click OK twice to continue.
Disable the device group configuration to stop using a device group to manage the policy rule and object configurations of the managed firewall.
1. Select DeviceSetupManagement and edit the Panorama Settings.
2. (Optional) Select Import Panorama Policy Objects before disabling to save the policy rule and object configurations locally on the firewall. If you don’t select this option, PAN-OS deletes all Panorama-pushed configurations from the firewall.
3. Click OK to continue.
Don’t attempt to commit your configuration changes on the managed firewall yet as all commits fail until the following steps are successfully completed.
Select DeviceSetupOperations and Save named configuration snapshot.
Load named configuration snapshot and enable (check) Regenerate Rule UUIDs for selected named configuration to generate new policy rule UUIDs.
This step is required to successfully localize the Panorama-pushed policy rules on the managed firewalls.
Click OK to load the named configuration snapshot.
Commit the named configuration snapshot load.
(Active/passive HA only) Enable configuration synchronization for firewalls in an active/passive high HA configuration.

Repeat this step each firewall HA peer.
1. Log in to the firewall web interface of one of the HA peers.
2. Select DeviceHigh AvailabilityGeneral and edit the HA pair Settings Setup.
3. Enable (check) Enable Config Sync and click OK.
4. Select Commit and Commit your changes.

Load a Partial Firewall Configuration into Panorama

Device Monitoring on Panorama