| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:configuration:multi_vsys [2021/06/08 21:08] – bstafford | paloaltonetworks:configuration:multi_vsys [2022/11/23 12:49] (current) – external edit 127.0.0.1 |
|---|
| ===== Collapsing Multi-Vsys ===== | ===== Collapsing Multi-Vsys ===== |
| Collapsing multivsys firewalls controlled by Panorama into single vsys firewalls. In this case, the two VSYS were external and internal were effectively a perimeter firewall and a core firewall. | Collapsing multivsys firewalls controlled by Panorama into single vsys firewalls. In this case, the two VSYS were external and internal were effectively a perimeter firewall and a core firewall. |
| | |
| * Perform pre-cutover config checks. | |
| |
| * Backup the configuration of each firewall and Panorama. Also take device state exports of each firewall. | - Perform pre-cutover config checks. |
| * Get an operational baseline - what VPN tunnels are up/down, how many sessions are running, how many GP users are connected to each gateway,etc. | - Backup the configuration of each firewall and Panorama. Also take device state exports of each firewall. |
| * If migration of configuration has happened in lab, make sure the migrated configuration file you are about to import has the correct interface and HA IP addresses set as well as management interface certificates, etc. | - Get an operational baseline - what VPN tunnels are up/down, how many sessions are running, how many GP users are connected to each gateway,etc. |
| | - If migration of configuration has happened in lab, make sure the migrated configuration file you are about to import has the correct interface and HA IP addresses set as well as management interface certificates, etc. |
| * Perform a failover to the passive node, disable HA config sync and disable pre-emption. Commit this change to both firewalls. | - Perform a failover to the passive node, disable HA config sync and disable pre-emption. Commit this change to both firewalls. |
| * On the primary device (now passive) - We should revert all config to local config (i.e. detach from Panorama) and upload and load the new configuration file that has merged the two VSYS and commit. At this point HA should still be 'working' but the two firewalls will have vastly different configs. | - On the primary device (now passive) - We should revert all config to local config (i.e. detach from Panorama) and upload and load the new configuration file that has merged the two VSYS and commit. At this point HA should still be 'working' but the two firewalls will have vastly different configs. |
| * We can now failover to primary (with the new config). | - We can now failover to primary (with the new config). |
| * Test to make sure that the merged VSYS configuration is correct. If not, failback to the secondary while you troubleshoot futher/rollback. | - Test to make sure that the merged VSYS configuration is correct. If not, failback to the secondary while you troubleshoot futher/rollback. |
| On the secondary device (now passive) - We should revert all config to local config (i.e. detach from Panorama) and enable HA config sync. | - On the secondary device (now passive) - We should revert all config to local config (i.e. detach from Panorama) and enable HA config sync. |
| * On the primary devices (now active) - enable HA config sync. This means the secondary device should get config from the primary device. If not, push from the primary device. | - On the primary devices (now active) - enable HA config sync. This means the secondary device should get config from the primary device. If not, push from the primary device. |
| * You may want to disable multi-vsys on the firewalls before importing to Panorama. | - You may want to disable multi-vsys on the firewalls before importing to Panorama. |
| * On Panorama, remove the firewalls from the existing DG's and templates. | - On Panorama, remove the firewalls from the existing DG's and templates. |
| * Import the fireawlls into Panorama. Clean up configs to replace the local configs with Panorama shared or Global Template configs. - For GT config - we should just move this template to the top of the new stack during the push step on the migrating from local to Panorama step. | - Import the fireawlls into Panorama. Clean up configs to replace the local configs with Panorama shared or Global Template configs. - For GT config - we should just move this template to the top of the new stack during the push step on the migrating from local to Panorama step. |
| |
