Migrate PaloAlto ha high availability firewall to panorama

For multiple PaloAlto Firewalls need unified management for enterprises ,Panorama It's a good choice , utilize Panorama It can achieve the purpose of centralization and unified management . Here is a brief introduction demo How to deal with the existing PaloAlto HA The highly available firewall is migrated to Panorama On .

Introduction to the environment ：

• Panorama:192.168.55.5
• PA-PRIMARY:192.168.55.10
• PA-SECONDARY:192.168.55.11

here demo Of HA The pattern is Active/Standby Pattern , As shown in the figure below ：

Step1（ First step ）： It's on two HA Disable configuration synchronization on the firewall of Disable Config Sync

In the main firewall （PA-PRIMARY） Switch to “Device（ equipment ）” tab , Then select... In the menu bar on the left “High Availability（ High availability ）”, By default “Enable Config Sync（ Enable configuration synchronization ）” It's checked . As shown in the figure below ：

stay “Setup（ Set up ）” Interface , Click the gear icon in the upper right corner , Cancel in the pop-up dialog “Enable Config Sync（ Enable configuration synchronization ）” Ahead √, As shown in the figure below ：

next , Commit the changes you just made to save the configuration ：

In the second standby firewall (PA-SECONDARY) Do the same thing on the computer ：

Step2( The second step )： Specify Panorama Management address of ：

In the main firewall （PA-PRIMARY） Switch to “Device（ equipment ）” tab , Select... From the menu on the left “Setup（ Set up ）” And then click “Management（ management ）” tab , Finally, click “Panorama Settings（Panorama Set up ）” The gear setting button in the upper right corner ：

In the pop-up “Panorama Settings（Panorama Set up ）” In the dialog box , Input Panorama Management address of . Here's what's interesting “Disable Panorama Policy and Objects” and “Disable Device and Template” Two option buttons ,disable Indicates that it is enabled , That means acceptance comes from Panorama These settings of ：

Submit changes , Save configuration ：

Do the same on the standby firewall and submit ：

Step3（ The third step ）： stay Panorama Add two managed firewall devices on

Copy the of two firewalls respectively SN Number , In order to be in Panorama Add ：

stay Panorama On the device , Switch to “Panorama” tab , Operate in the following order and paste the firewall just copied above SN Number ：

Add a second standby firewall with the same operation ：

Submit and save the operation just now ：

If the operation is correct , After submitting the changes and saving the configuration, you can see the following status ： Pay attention to the bottom “Group HA Peers” Is checked , To display “HA Status”

Step4:（ Step four ）： From the two HA Import the configuration on the high availability firewall to Panorama

stay Panorama Click the left mouse button on the device according to the following numerical number ：

Select the device to import the configuration , And change the name of the device and template as needed ： It's worth noting that , Remember to keep other options checked by default .

The same operation imports another firewall configuration ： It should be noted here that the template and device name do not need to be consistent with the one imported into the first firewall device , This will be explained below ！

After successfully importing the configuration of two firewalls , stay “Template（ Templates ）” Next , You can see the template related information ：

We don't need two templates here （Template） And two device groups （Device Group） So let's delete the second template ：

Then go to the first Template（ Templates ）, Check the second firewall , And then click “Ok” In order to move the second firewall to the same Template（ Templates ）：

In the same way “Device Group（ Equipment group ）” Do the same under ：

Submit changes , Save configuration ：

Step5（ Step five ）： Export configuration applied to firewall devices

Do it here , We are “Managed Devices（ Managed devices ）” notice “Share Policy（ Sharing strategy ）” and “Template（ Templates ）” It's all in “Out of sync（ asynchronous ）” state ：

Click the left mouse button according to the sequence number of the following pictures ：

In the pop-up dialog , We choose to apply the configuration to the second standby firewall （PA-SECONDARY）, The purpose of this is to prevent the main firewall in the production environment from being affected ：

single click “Ok”

next , In the pop-up dialog box, click “Push & Commit（ Push and submit ）” In order to push the configuration file to the standby firewall device ：

stay “Commit（ Submit ）” Select “Push to Devices”

Then select the first line in the pop-up dialog ,Localtion Type by “Device Group（ Equipment group ）” Of “PA-PRIMARY”, And then choose “Edit Selecions（ The editor chooses ）”：

Finally, the dialog box pops up , Cancel “PA-PRIMARY” Ahead √, Finally, click “Ok” To confirm that only the configuration is pushed to the standby firewall ：

Same choice Localtion Type by “Template（ Templates ）” Firewall device under , Confirm that only “PA-SECONDARY” The second standby firewall device ：

If the operation is correct , You will see “Share Policy（ Sharing strategy ）” and “Template（ Templates ）” The status of sent changes ：

Back to the active firewall PA-PRIMARY, For now “Suspend（ Hang up ）” operation , In order to switch the standby firewall to the main firewall ：

Switch to “Dashboad” tab , To ensure that the main firewall is suspended , Standby shipment has become Active（ Activities ） state ：

Click the left mouse button according to the numerical number below ：

Then click the left mouse button according to the number below , In order to push the configuration to the firewall in the suspended state （PA-PRIMARY）

After the synchronization is successful, you will see the status of the following pictures ：

Click the left mouse button in the following numerical order , In order to restore the suspended firewall to the running state ：

At this point, you can see that the firewall has been restored to the running state , But in “Standby（ Standby state ）”：

If you want to recover PA-PRIMARY Firewall to Active（ Activities ） You can put PA-SECONDARY Hang up , etc. PA-PRIMARY become Active And then recover PA-SECONDARY You can change roles ！

Okay , Let's put HA Two firewalls of successfully joined Panorama, Although the process is cumbersome , But as long as you follow the steps , I believe everyone can learn ！