Configure the new firewall to connect to Panorama
On the firewall's web interface, navigate to: Device > Setup > Management > Panorama Settings
Enter the MGT IP of the primary Panorama appliance (and it's HA Peer)
Options on this page can be set to allow/disallow Panorama to manage policy and objects, and network templates
Add the FW's serial number to Panorama
On the Panorama interface, navigate to: Panorama > Managed Devices > Summary > Add
Add the Device(s) Serial Numbers, and OK
On the Summary page after adding, the 'Group HA Peers' button can be selected to group HA firewalls. If this is unchecked, each firewall is individually displayed.
Device Tagging can be used to help identify specific firewalls in large managements. Navigate under: Panorama > Manage devices > Summary > Tag
Communication between devices can be secured. Navigate to: Panorama > Setup > Management > Secure Communications Settings
Communication will be handled by either a predefined or local certificate
Commit All Changes
Changes must be committed on both the local firewalls, and on the Panorama device
Panorama can manage all licences on managed devices. This can be viewed under: Panorama > Device Deployment > Licenses
License status and expiration dates can be seen
New licenses can be added with the 'activate' option, and an activation code
A license can be deactivated on one device, and activated on another (limited on some depending on the license type)
Prior to migrating firewall, the following options must be done:
Determine the OS version both on the Firewall and on Panorama
Panorama must be running the same or later version of PanOS that is on the firewall
Plan out the device group hierarchy and template deployment
Reduced redundancy
Streamline management of shared settings
Identify andy configuration that needs to be managed locally
Normalize Zone Names
High Level sequence to add firewalls to Panorama:
Add a new device
Import the configuration
Fine-tune the configurations
Push the device state (config bundle)
Commit the device groups and templates.
Note: This process replaces some or all of the firewall's configuration with the config managed by Panorama
In an HA Pair, further considerations are needed:
Disable the Config Sync under Device > High Availability > General > Setup
Add each firewall into Panorama
After the import and configuration within Panorama, add both firewalls to the same Device Group and Templates stack
Steps to add:
Join the firewall to Panorama as a managed device
Do not add the FW to any device groups or templates yet
Import the device configuration to Panorama - this is done under Panorama > Setup > Operations > Configuration management
The import does not impact the config, it makes a copy of the configuration to Panorama
Update the device group and template configurations as needed or desired for standardization
Local configuration is removed
Zone names are updated (if needed)
Configuration data may be moved to different device groups or templates
Shared object names changed where conflicts exist
Push the configuration to the firewall; this will remove all policy rules and objects from local configuration
Export or push device config bundle
Note: the firewall cannot be added to a device group or template before the export/push device, as Panorama would error with problems of duplicate object names
Panorama can manage software upgrades from a central location
To see the options available, navigate to: Panorama > Device Deployment > Software
In this section, the software can be downloaded to Panorama, and then can be pushed to firewalls
The options include:
Upload Only (do not install)
Install, and reboot after install
The application and content-ID updates can also be centrally managed and distributed with Panorama
The options and configuration are available under: Panorama > Device Deployments > Dynamic Updates
A manual update/push can be done
A scheduled download/push can be done
Updates can only be done one at a time; stagger the updates to ensure that they will complete
Global Protect can be centrally managed and updated in Panorama
The options and configuration are avilable under: Panorama > Device Deployment > GlobalProtect Client
Select the version to download to Panorama
When downloaded, this version can be activated, and then specific firewalls can be selected to push the update to
Under Panorama > Setup > Operations, the export options for the configuration of Panorama are listed
Export Named Panorama configuration snapshot exports the current running config, the candidate config, or a previously imported config
Export Panorama configuration version exports a version that is specified
Export Panorama and Devices config bundle exports Panorama and all firewall configurations
Export or Push device config bundle (see the transition section above in this chapter for details)
A scheduled export can be configured for automatic backups
Navigate under Panorama > Scheduled Config Export
Export can be scheduled once per day
FTP and SCP options are supported
FTP Passive mode can be selected from the checkbox, if Active mode is having issues
If using anonymous for username, do not specify a password.
When a commit is done on a local firewall, a backup is sent to Panorama automatically
By default, Panorama stores up to 100 previous configurations.
These can be viewed under: Panorama > Managed Devices > Summary