How to remove a Standalone Firewall from Panorama

Objective

• The article provides steps on how to remove a firewall that is managed by Panorama while keeping both the local config and Panorama pushed config on the firewall by merging both during the process.

• This article is to remove the standalone firewall from Panorama.

• If a HA (High Availability) Firewall Pair must be removed from Panorama, then "config sync" needs to be disabled, and "commit" must be completed prior to starting the removal process.

• If not, due to HA config sync, one of the firewalls may end up with double policies (one from Panorama and the second from config sync of the Peer). This may result in commit failure.

Environment

• Panorama with Managed Firewalls

• PAN-OS 9.1 and above.

• Template and Device group associated with one firewall.

Procedure

Login to Firewall Web UI

1. Take a backup

   1. Device > Setup > Operations

   2. Click Export Device State (saves local config as well as Panorama Templates and Device Group config)

2. Device > Setup > Management

3. Click (gear icon) on Panorama Settings

4. Click Disable device and Network Template and check the box Import Device and Network Template before disabling , then click OK

   

5. Click Disable Panorama Policy and Objects and check the box Import Panorama Policy and Objects before disabling , then click OK

   

6. Verify all the policies pushed from Panorama are still show on firewall before moving to step 4

7. From Device > Setup > Management > Panorama Settings

   1. Delete the Panorama IP address

   

8. Commit

Login to Panorama

1. Save a copy of the current config for backup

   1. Panorama > Setup > Operations

   2. Click "Save named Panorama configuration snapshot"

   3. Name the config file ( today's_date_running_config , before_fw_removal , etc)

2. Panorama > Managed Devices > Summary

   1. Verify the firewall Device State show as Disconnected

   

3. Use GlobalSearch and search for the serial number of firewall to see if the firewall serial number is used in any policies as "target". If yes, edit the policy and remove the firewall serial number from the "target" field. Repeat this for all policies that has this target. Example below.

   

4. If Device Log forwarding is configured, remove the firewall from the collector group using GUI: Panorama > Collector Group > (name) > Device Log Forwarding > Remove the Firewall under "Device" Column.

5. Panorama > Templates

   1. Remove the device from “template-stack”

      

   2. Remove the device from “Template”

      

6. Delete device from "Device Group"

   1. Panorama > Device Groups which then removes it from Panorama > Managed Devices > Summary

      

   2. Delete the firewall from the "Managed Device" device list

      

7. Commit to Panorama

Additional Information

Note:

• Starting from PAN-OS 10.1, there is a new field under Device > Setup > Management > Panorama Settings called Auth Key.

• If the firewall was managed through Panorama prior to 10.1, this field will likely be blank. As such, the OK button will be greyed out and will not let Panorama IP to be removed.

• To resolve, give auth key of format "2:<anycharacters>" as shown in snapshot below:

  

  

• Alternatively, remove Panorama config from CLI. See: PAN-189804