Shulou(Shulou.com)06/01 Report--

For enterprises with multiple PaloAlto firewalls that need unified management, Panorama is a good choice. Using Panorama can achieve the purpose of centralization and unified management. Here is a simple demo to show you how to migrate the existing PaloAlto HA high-availability firewall to Panorama.

Environment introduction:

Panorama:192.168.55.5

PA-PRIMARY:192.168.55.10

PA-SECONDARY:192.168.55.11

Here the HA mode of demo is Active/Standby mode, as shown in the following figure:

Step1 (step 1): disable configuration synchronization Disable Config Sync on the firewalls of both HA

Switch to the "Device" tab on the main firewall (PA-PRIMARY) and select "High Availability" in the menu bar on the left. "Enable Config Sync" is checked by default. As shown in the following figure:

In the Setup interface, click the gear icon in the upper right corner, and in the pop-up dialog box, cancel the √ before Enable Config Sync, as shown in the following figure:

Next, commit the changes you just made to save the configuration:

Do the same on the second backup firewall (PA-SECONDARY):

Step2 (step 2): specify the management address of the Panorama on the two firewalls:

Switch to the "Device" tab on the main firewall (PA-PRIMARY), select "Setup" on the left menu, click the "Management" tab, and finally click the gear setting button in the upper right corner of "Panorama Settings (Panorama Settings)":

In the pop-up Panorama Settings (Panorama Settings) dialog box, enter the administrative address of the Panorama. It is worth noting that the "Disable Panorama Policy and Objects" and "Disable Device and Template" option buttons are enabled by disable, which means to accept these settings from Panorama:

Commit changes and save the configuration:

Do the same on the backup firewall and submit:

Step3 (step 3): add two managed firewall devices to the Panorama

Copy the SN numbers of the two firewalls to add on the Panorama:

On the Panorama device, switch to the "Panorama" tab and paste the firewall SN number you just copied in the following order:

Do the same to add a second backup firewall:

Submit and save the operation you just did:

If the operation is correct, after submitting the changes and saving the configuration, you can see the following status: note that "Group HA Peers" at the bottom is checked before "HA Status" can be displayed.

Step4: (step 4): import the configuration to Panorama from two HA highly available firewalls

Click the left mouse button on the Panorama device according to the following numeric number:

Select the device you want to import and change the name of the device and template as needed: remember to keep the other options checked by default.

The same operation is imported into another firewall configuration: it is important to note that the template and device names do not need to be consistent with the import of the first firewall device, which will be explained below!

After successfully importing the configuration of the two firewalls, under "Template", you can see the information about the template:

Since we do not need two templates (Template) and two device groups (Device Group) here, let's delete the second template:

Then go to the first Template (template), check the second firewall, and then click "Ok" to move the second firewall to the same Template (template):

Similarly, do the same under "Device Group":

Commit changes and save the configuration:

Step5 (step 5): export the configuration to the firewall device

To do this, we see in "Managed Devices" that both "Share Policy" and "Template" are in the "Out of sync" state:

Click the left mouse button according to the serial number of the picture below:

In the pop-up dialog box, we chose to apply the configuration to the second standby firewall (PA-SECONDARY) to avoid affecting the primary firewall in the production environment:

Click "Ok"

Next, click "Push & Commit" in the pop-up dialog box to push the configuration file to the standby firewall device:

Select "Push to Devices" under the box below "Commit"

Then select the first row in the pop-up dialog box, Localtion Type is "PA-PRIMARY" for "Device Group", and then select "Edit Selecions":

In the last pop-up dialog box, cancel the √ before "PA-PRIMARY", and then click "Ok" to confirm that only the configuration is pushed to the standby firewall:

Also select Localtion Type as the firewall device under "Template", and make sure that only the second backup firewall device "PA-SECONDARY" is checked:

If you do this correctly, you will see a change in the status of "Share Policy" and "Template":

Go back to the active firewall PA-PRIMARY and temporarily "Suspend" its operation to switch the standby firewall to the primary firewall:

Switch to the "Dashboad" tab to ensure that the primary firewall has been suspended and the backup shipping has become Active (active):

Click the left mouse button according to the following numeric number:

Then click the left mouse button according to the number below to push the configuration to the pending firewall (PA-PRIMARY)

After waiting for the synchronization to succeed, you will see the status of the following image:

Click the left mouse button in the following numerical order to restore the suspended firewall to running state:

At this point, you can see that the firewall has returned to the running state, but is in the "Standby" state:

If you want to restore the PA-PRIMARY firewall to Active (active) state, you can suspend PA-SECONDARY, wait for PA-PRIMARY to become Active, and then restore PA-SECONDARY to change roles!

All right, at this point, the two firewalls of HA will be successfully added to Panorama, although the process is tedious, but as long as step by step, I believe everyone can learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.