0 Replies Latest reply on Feb 28, 2018 10:19 AM by xtraspecialj

    Palo Alto Panorama Config Backups Advice

    xtraspecialj

      Hi all, I've seen a few posts on Thwack about Panorama's but I haven't seen any good examples or solutions on how to properly manage them.  Now that NCM can handle Binary Configs and Panorama performs binary .tgz backups on the firealls, I think it'd be possible to properly backup full DR config bundles through NCM via the Panorama tool for all of our firewalls, but I still have a few questions on how to manage them all in NCM.  I'm not necessarily looking for people that have all these answers, or any of them really.  I would just like to get a discussion around these since I think there is a potential fix here for the Panorma problem that others have posted about here on Thwack, so a community brainstorm could be helpful for a lot of us.  I've even included a few of my ideas below as well:

       

      - Since the Panorama will be the central point of management for all of the firewalls, how would you recommend insuring that NCM properly associates the binary config backups with the proper firewall?  In other words, with the Panorama handling all of the backups, how will NCM know which backup goes to which firewall?

      My initial thought on this would be to see if there is some way that a command could be sent to the firewalls that would have them connect to the panorama and kick off the tgz backup for itself.  I don't know if that's possible, but that would at least allow the file to then be associated with the node.

       

       

      - What should the Device Template look like for the Panorama's?  What about the firewalls themselves?

       

      - Since NCM can't currently read what's in the Binary tgz files that the Panorama's would generate, what traditional "running" config backup should we be doing in addition to the binary backups so that we can take advantage of NCM's config change, inventory, policy auditing, and firmware vulnerabilities features as well?

      Currently we are already doing a "show config running" on the firewalls, however the config file this generates is really small.  Is there a better "show" command that could be used to get a single file that would work well for NCM's Inventory and auditing features?