Configuration Sync

[miztertea]

My apologies if I missed something. But does this solution require Panorama? How are the configurations being synchronized between the Firewalls in different AZ's?

[jpeezus]

Transit VPC does NOT require Panorama but you can use a Panorama if you would like. As it stands the configurations are loaded via Bootstrapping but you can take the init-cfg.txt file and configure the Panorama information including device group and template information and once the the firewall bootstraps and connects to Panorama, the Panorama will send the DG and template config to the VM-Series.

Below is a link to an init-cfg.txt sample https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/bootstrap-the-vm-series-firewall/create-the-init-cfg-txt-file

[miztertea]

@jpeezus Thanks for the quick reply. This would be for the init correct? What if I update a rule in Firewall A? How does that rule get updated in Firewall B?

[jpeezus]

Yes that would be the init-cfg.txt file. In terms of changes on Firewall A to B that is where Panorama would make it easier because the firewalls will both be a member of the same Device Group. If you are using the Bootstrap only then you have to export the config every time you change and change the snapshot to bootstrap.xml and place it in the bootstrap/config folder

Bootstrap Configuration Files https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/bootstrap-the-vm-series-firewall/bootstrap-configuration-files#_67285

[Simbec]

Is anyone having issues with the configuration of the IPSec tunnels in the VM's after they joined to a Panorama?