| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:configuration:multi_vsys [2021/06/08 21:08] – bstafford | paloaltonetworks:configuration:multi_vsys [2022/11/23 12:49] (current) – external edit 127.0.0.1 |
|---|
| Collapsing multivsys firewalls controlled by Panorama into single vsys firewalls. In this case, the two VSYS were external and internal were effectively a perimeter firewall and a core firewall. | Collapsing multivsys firewalls controlled by Panorama into single vsys firewalls. In this case, the two VSYS were external and internal were effectively a perimeter firewall and a core firewall. |
| |
| * Perform pre-cutover config checks. | - Perform pre-cutover config checks. |
| | - Backup the configuration of each firewall and Panorama. Also take device state exports of each firewall. |
| * Backup the configuration of each firewall and Panorama. Also take device state exports of each firewall. | - Get an operational baseline - what VPN tunnels are up/down, how many sessions are running, how many GP users are connected to each gateway,etc. |
| * Get an operational baseline - what VPN tunnels are up/down, how many sessions are running, how many GP users are connected to each gateway,etc. | - If migration of configuration has happened in lab, make sure the migrated configuration file you are about to import has the correct interface and HA IP addresses set as well as management interface certificates, etc. |
| * If migration of configuration has happened in lab, make sure the migrated configuration file you are about to import has the correct interface and HA IP addresses set as well as management interface certificates, etc. | - Perform a failover to the passive node, disable HA config sync and disable pre-emption. Commit this change to both firewalls. |
| | - On the primary device (now passive) - We should revert all config to local config (i.e. detach from Panorama) and upload and load the new configuration file that has merged the two VSYS and commit. At this point HA should still be 'working' but the two firewalls will have vastly different configs. |
| * Perform a failover to the passive node, disable HA config sync and disable pre-emption. Commit this change to both firewalls. | - We can now failover to primary (with the new config). |
| * On the primary device (now passive) - We should revert all config to local config (i.e. detach from Panorama) and upload and load the new configuration file that has merged the two VSYS and commit. At this point HA should still be 'working' but the two firewalls will have vastly different configs. | - Test to make sure that the merged VSYS configuration is correct. If not, failback to the secondary while you troubleshoot futher/rollback. |
| * We can now failover to primary (with the new config). | - On the secondary device (now passive) - We should revert all config to local config (i.e. detach from Panorama) and enable HA config sync. |
| * Test to make sure that the merged VSYS configuration is correct. If not, failback to the secondary while you troubleshoot futher/rollback. | - On the primary devices (now active) - enable HA config sync. This means the secondary device should get config from the primary device. If not, push from the primary device. |
| * On the secondary device (now passive) - We should revert all config to local config (i.e. detach from Panorama) and enable HA config sync. | - You may want to disable multi-vsys on the firewalls before importing to Panorama. |
| * On the primary devices (now active) - enable HA config sync. This means the secondary device should get config from the primary device. If not, push from the primary device. | - On Panorama, remove the firewalls from the existing DG's and templates. |
| * You may want to disable multi-vsys on the firewalls before importing to Panorama. | - Import the fireawlls into Panorama. Clean up configs to replace the local configs with Panorama shared or Global Template configs. - For GT config - we should just move this template to the top of the new stack during the push step on the migrating from local to Panorama step. |
| * On Panorama, remove the firewalls from the existing DG's and templates. | |
| * Import the fireawlls into Panorama. Clean up configs to replace the local configs with Panorama shared or Global Template configs. - For GT config - we should just move this template to the top of the new stack during the push step on the migrating from local to Panorama step. | |
| |
