How To Restore a Firewall Managed Partially by Panorama with only Local Config Backup Available

Objective

When replacing the faulty firewall with a new device, Loading the old device configuration and committing displays error.
The error message indicates part of the dependent configuration is missing.

Example:
Log-settings are configured locally on the firewall pointing to a Syslog server config, which is pushed from the panorama.
This commit fails when the local configuration is loaded and committed because the panorama config is missing.
In this case validation error is displayed below:

log-settings -> profiles -> LOG -> match-list -> LOG-url -> send-syslog 'SYS' is not a valid reference

log-settings -> profiles ->LOG -> match-list -> LOG-url -> send-syslog is invalid

Commit failed

Here the Syslog server profile is pushed from the panorama, while the log-settings profile LOG is configured locally.

Environment

This document applies only to the following scenario.

the device is partially managed by the firewall and partially by the panorama.
Part of the firewall config pointing to panorama config.
you are replacing one such firewall (probably due to device hardware failure), but have only the local config.
PAN-OS 8.0 and above.

Procedure

1. Replace the old serial number with the new serial number on the panorama.

> replace device old <old SN#> new <new SN#>

Go into configuration mode and commit the changes.

> configure

# commit

Now, panorama will show the new serial number instead of the old serial number in the managed devices.

2. configure the panorama IP address on the firewall and commit on the firewall.
User-added image

3. Import the backed up config on the firewall.

3. Load the backed up config on the firewall.

Do not commit.

4. Go to Panorama, push to devices, select the firewall in device-group, select the merge with Device Candidate Config option and Include Device and Network Templates.
And push it to the firewall.
User-added image

This time, Panorama pushes the panorama config and commits the panorama config along with local config on the firewall. This time the commit succeeds.

Additional Information

It is recommended to get device-state backup when the firewall is partially managed by panorama and the local config has dependencies on panorama config like mentioned above.