76
106 • Panorama 7.0 Administrator’s Guide
© Palo Alto Networks, Inc.
Transition a Firewall to Panorama Management
Manage Firewalls
Step 4 Import the firewall configuration into
Panorama.
If you later decide to re‐import a
firewall configuration, first
remove the firewall or its virtual
systems from the device groups
and template where you originally
imported them. (Firewalls don’t
lose logs when you remove them
from device groups or templates.)
Because the imported policies
and objects remain in the device
groups, you must manually move,
edit, or delete them when
necessary. When re‐importing,
use the Device Group Name
Prefix fields to define device
group names that differ from the
ones Panorama created in the
original import.
1. From Panorama, select Panorama > Setup > Operations, click
Import device configuration to Panorama, and select the
Device.
Panorama can’t import a configuration from a firewall
that is assigned to an existing device group or template.
2. Enter a Template Name. If this is a multi‐vsys firewall, the field
is blank. Otherwise, the default value is the firewall name. You
can’t use the name of an existing template.
3. For a multi‐vsys firewall, optionally add a character string as a
Device Group Name Prefix for all the device groups.
4. (Optional) Edit the Device Group names. If this is a multi‐vsys
firewall, each device group has a vsys name by default.
Otherwise, the default value is the firewall name. You can’t
use the names of existing device groups.
The Import devices' shared objects into Panorama's
shared context check box is selected by default, which
means Panorama imports objects that belong to the
Shared location in the firewall to Shared in Panorama. If
you clear the check box, Panorama copies shared
firewall objects into device groups instead of Shared.
This could create duplicate objects, so selecting the
check box is a best practice in most cases. To
understand the consequences of importing shared or
duplicate objects into Panorama, see Plan how to
manage shared settings.
5. Select a Rule Import Location for the imported policy rules:
Pre Rulebase or Post Rulebase. Regardless of your selection,
Panorama imports default security rules (intrazone‐default
and interzone‐default) into the post‐rulebase.
If Panorama has a rule with the same name as a firewall
rule that you import, Panorama displays both rules.
Delete one of the rules before performing a Panorama
commit to prevent a commit error.
6. Click OK. Panorama displays the import status, result, details
about your selections, details about what was imported, and
any warnings. Click Close.
Step 5 Fine‐tune the imported configuration.
1. In Panorama, select Panorama > Config Audit, select the
Running config and Candidate config for the comparison, click
Go, and review the output.
2. Update the device group and template configurations as
needed based on the configuration audit and any warnings
that Panorama displayed after the import. For example:
• Delete redundant objects and policy rules.
• Move or Clone a Policy Rule or Object to a Different Device
Group.
• Move firewalls to different device groups or templates.
• Move a device group that Panorama created during the
import to a different parent device group: Select Panorama
> Device Groups, select the device group you want to move,
select a new Parent Device Group, and click OK.
Migrate a Firewall to Panorama Management (Continued)
75
© Palo Alto Networks, Inc.
Panorama 7.0 Administrator’s Guide • 107
Manage Firewalls
Transition a Firewall to Panorama Management
Load a Partial Firewall Configuration into Panorama
If some configuration settings on a firewall are common to other firewalls, you can load those specific
settings into Panorama and then push them to all the other firewalls or to the firewalls in particular device
groups and templates.
Step 6 Push the device configuration bundle to
the firewall to remove all policy rules and
objects from its local configuration.
This step is necessary to prevent
duplicate rule or object names, which
would cause commit errors when you
push the device group configuration
from Panorama to the firewall in the next
step.
1. Click Commit, for the Commit Type select Panorama, and
click Commit again. Panorama creates a device configuration
bundle named <firewall_name>_import.tgz, in which all
policies and objects are removed.
2. In Panorama, select Panorama > Setup > Operations and click
Export or push device config bundle.
3. Select the Device from which you imported the configuration,
click OK, and click Push & Commit. Panorama pushes the
bundle and initiates a commit on the firewall.
Step 7 Push the device group and template
configurations to the firewall to
complete the transition to centralized
management.
If you are migrating multiple firewalls,
perform all the preceding steps—
including this one—for each firewall
before continuing.
1. In Panorama, click Commit and for the Commit Type select
Device Group.
2. Select the Merge with Device Candidate Config, Include
Device and Network Templates and Force Template Values
check boxes.
3. Select the device groups that contain the imported firewall
configurations and click Commit.
Step 8 Consolidate all the imported firewall
configurations.
Required if you are migrating multiple
firewalls. Settings might be duplicated
among the firewalls. For example, if you
imported an object with the same name
from two firewalls, you must delete one
object in Panorama before performing a
commit on Panorama.
1. After importing all the firewall configurations, update the
device groups and templates as needed to eliminate
redundancy and streamline configuration management: see
Fine‐tune the imported configuration. (You don’t need to push
device configuration bundles again.)
2. Configure any firewall‐specific settings.
If the firewalls will have local zones, you must create them
before performing a device group or template commit;
Panorama can’t poll the firewalls for zone name or zone
configuration. If you will use local firewall rules, ensure their
names are unique (not duplicated in Panorama). If necessary,
you can Override a Template Setting with a firewall‐specific
value.
3. In Panorama, click Commit, for the Commit Type select Device
Group, select the device groups, select the Include Device and
Network Templates check box, and click Commit.
Step 9 Perform your post‐migration test plan.
Perform the verification tasks that you devised during the
migration planning to confirm that the firewalls work as efficiently
with the Panorama‐pushed configuration as they did with their
original local configuration: see Create a post‐migration test plan.
Load a Partial Firewall Configuration into Panorama
Step 1 Plan the transition to Panorama.
See the checklist in Plan the Transition to Panorama Management.
Migrate a Firewall to Panorama Management (Continued)
54
108 • Panorama 7.0 Administrator’s Guide
© Palo Alto Networks, Inc.
Transition a Firewall to Panorama Management
Manage Firewalls
Step 2 Resolve how to manage duplicate
settings, which are those that have the
same names in Panorama as in a firewall.
Before you load a partial firewall
configuration, Panorama and that
firewall might already have duplicate
settings. Loading a firewall configuration
might also add settings to Panorama that
are duplicates of settings in other
managed firewalls.
If Panorama has policy rules or
objects with the same names as
those on a firewall, a commit
failure will occur when you try to
push device group settings to
that firewall. If Panorama has
template settings with the same
names as those on a firewall, the
template values will override the
firewall values when you push
the template.
1. On Panorama, perform a global find to determine if duplicate
settings exist.
2. Delete or rename the duplicate settings on the firewall if you
will use Panorama to manage them, or delete or rename the
duplicate settings on Panorama if you will use the firewall to
manage them. If you will use the firewall to manage device or
network settings, instead of deleting or renaming the
duplicates on Panorama, you can also push the settings from
Panorama (Step6) and then Override a Template Setting on
the firewall with firewall‐specific values.
Step 3 Export the entire firewall configuration
to your local computer.
1. On the firewall, select Device > Setup > Operations.
2. Click Save named configuration snapshot, enter a Name to
identify the configuration, and click OK.
3. Click Export named configuration snapshot, select the Name
of the configuration you just saved, and click OK. The firewall
exports the configuration as an XML file.
Step 4 Import the firewall configuration
snapshot into Panorama.
1. On Panorama, select Panorama > Setup > Operations.
2. Click Import named Panorama configuration snapshot,
Browse to the firewall configuration file you exported to your
computer, and click OK.
After using this option to import a firewall
configuration file, you can’t use the Panorama web
interface to load it. You must use the XML API or CLI,
as described in the next step.
Load a Partial Firewall Configuration into Panorama (Continued)
69
© Palo Alto Networks, Inc.
Panorama 7.0 Administrator’s Guide • 109
Manage Firewalls
Transition a Firewall to Panorama Management
Step 5 Load the desired part of the firewall
configuration into Panorama.
To specify a part of the configuration (for
example, all application objects), you
must identify the:
• Source xpath—The XML node in the
firewall configuration file from which
you are loading.
• Destination xpath—The node in the
Panorama configuration to which you
are loading.
Use the XML API or CLI to identify and load the partial
configuration:
1. Use the firewall XML API or CLI to identify the source xpath.
For example, the xpath for application objects in vsys1 of the
firewall is:
/config/devices/entry[@name='localhost.localdomain
']/vsys/entry[@name='vsys1']/application
2. Use the Panorama XML API or CLI to identify the destination
xpath.
For example, to load application objects into a device group
named US‐West, the xpath is:
/config/devices/entry[@name='localhost.localdomain
']/device-group/entry[@name='US-West']/application
3. Use the Panorama CLI to load the configuration and commit
the change:
# load config partial from <filename> from‐xpath
<source‐xpath> to‐xpath <destination‐xpath> mode
[append|merge|replace]
For example, enter the following to load the application
objects from vsys1 on an imported firewall configuration
named fw1‐config.xml into a device group named US‐West on
Panorama:
# load config partial from fw1‐config.xml from‐xpath
devices/entry[@name='localhost.localdomain']/vsys/entry[
@name='vsys1']/application to‐xpath
/config/devices/entry[@name='localhost.localdomain']/devi
ce‐group/entry[@name='US‐West']/application mode merge
# commit
Step 6 Push the partial configuration from
Panorama to the firewall to complete the
transition to centralized management.
1. On the firewall, delete any rules or objects that have the same
names as those in Panorama. If the device group for that
firewall has other firewalls with rules or objects that are
duplicated in Panorama, perform this step on those firewalls
also. For details, see Step2.
2. On Panorama, click Commit, for the Commit Type select
Panorama, and click Commit again.
3. On Panorama, click Commit and for the Commit Type select
Device Group.
4. Select the Merge with Device Candidate Config, Include
Device and Network Templates and Force Template Values
check boxes.
5. Select the device groups that contain the imported firewall
configurations and click Commit.
6. If the firewall has a device or network setting that you won’t
use Panorama to manage, Override a Template Setting on the
firewall.
Step 7 Perform your post‐migration test plan.
Perform the verification tasks that you devised during the
migration planning to confirm that the firewall works as efficiently
with the Panorama‐pushed configuration as it did with its original
local configuration: see Create a post‐migration test plan.
Load a Partial Firewall Configuration into Panorama (Continued)
32
110 • Panorama 7.0 Administrator’s Guide
© Palo Alto Networks, Inc.
Use Case: Configure Firewalls Using Panorama
Manage Firewalls
Use Case: Configure Firewalls Using Panorama
Let’s say that you want to use Panorama in a high availability configuration to manage a dozen firewalls on
your network: you have six firewalls deployed across six branch offices, a pair of firewalls in a high availability
configuration at each of two data centers, and a firewall in each of the two regional head offices.
The first step in creating your central management strategy is to determine how to group the firewalls into
device groups and templates to efficiently push configurations from Panorama. You can base the grouping
on the business functions, geographic locations, or administrative domains of the firewalls. In this example,
you create two device groups and three templates to administer the devices using Panorama:
Device Groups
Templates
Set Up Your Centralized Configuration and Policies
Device Groups
In this example, we decide to define two device groups based on the functions the firewalls will perform:
DG_BranchAndRegional for grouping devices that serve as the security gateways at the branch offices
and at the regional head offices. We placed the branch office firewalls and the regional office firewalls in
the same device group because devices with similar functions will require similar policy rulebases.
DG_DataCenter for grouping the devices that secure the servers at the data centers.
We can then administer shared policy rules across both device groups as well as administer distinct device
group rules for the regional office and branch office groups. Then for added flexibility, the local administrator
at a regional or branch office can create local rules that match specific source, destination, and service flows
for accessing applications and services that are required for that office. In this example, we create the
following hierarchy for security rules. you can use a similar approach for any of the other rulebases.
Documents you may be interested
Documents you may be interested