Notice of Changes to Data Center Firewall Management (Panorama)

(TL,DR) – Sorry, if you manage a Data Center Firewall with Panorama, you need to read and understand this information.

Some time after the initial installation of the Data Center Firewalls, DCS and ENCS became aware from the vendor that the initial management model in use in the Data Center Firewalls is not in line with vendor best practices. The current model where regional (University Park and Hershey) policies and objects are made on a physical device and global policies and objects are made in Panorama is not correct. Vendor best practice is to have all policies and objects within Panorama. The following are benefits of having all policies and objects within Panorama: removing the need to duplicate objects between regions, having one spot to do all policy changes, allowing logging of policies made in Panorama, taking more advantage of device group hierarchies and enabling easier backup and restore procedures in case of hardware failures.

DCS and ENCS, in cooperation with professional services, has been planning and preparing for a migration of local policies to Panorama to align with vendor best practices. We apologize in advance for the inconvenience that implementing this change will cause. Our hope is that the near term inconvenience is far outweighed by long term convenience.

All of the information below is pending approval of CHG0043371 for Hershey and CHG0043372 for University Park.

What does this mean for you?

Change Freezes:
On Friday 9/1, starting at 5 pm until Wednesday 9/6 ending at 7 am, a configuration lock must be put on Panorama and the Hershey firewalls. Local policy and object changes on the University Park firewalls may still be made. If changes within Panorama or the Hershey firewalls are needed, please open an incident against service “Data Center Services” or contact the Operations Center at 865-4662. The operations center will open a ticket on your behalf.

A change freeze will also be implemented for the University Park firewalls at a future date. The date of that change freeze is yet undetermined as we work with professional services to determine the implementation date. This date is planned to be in the third or fourth week of September.

Outages:
On Tuesday 9/5, starting at 8 pm until Wednesday 9/6 ending at 7 am, the Hershey firewalls will be moved from local management to Panorama management. The remediation process dictates that we must remove a firewall from the HA pair, proceed with the reconfiguration to Panorama management, then bring the firewall back in to service. The process then repeats on the the other firewall. While a firewall is being taken out of and back in to service, a momentary traffic disruption will occur. An outage of up to 5 minutes is possible for some applications depending on their behavior and tolerance for a lost packet in a session. Although the testing process has shown there does not need to be an extended outage, if there is an emergency an outage of up to 60 minutes may be experienced to rebuild the firewalls.

At a yet undetermined date, the University Park firewalls will be moved from local management to Panorama management. The remediation process dictates that we must remove a firewall from the HA pair, proceed with the reconfiguration to Panorama management, then bring the firewall back in to service. The process then repeats on the the other firewall. While a firewall is being taken out of and back in to service, a momentary traffic disruption will occur. An outage of up to 5 minutes is possible for some applications depending on their behavior and tolerance for a lost packet in a session. Although the testing process has shown there does not need to be an extended outage, if there is an emergency an outage of up to 60 minutes may be experienced to rebuild the firewalls.

Further information and training regarding the information below will be provided as soon as it is available.

Policy Management Changes:
Starting 9/6 for Hershey firewalls, and a yet undetermined date for University Park firewalls, all firewall policy and object changes will be made within Panorama. Access to the physical firewalls will be significantly reduced to read-only functions necessary for troubleshooting.

Committing policy changes:
-Committing policy becomes a two step process.
1. Commit to Panorama. This makes the running configuration of Panorama aware of the pending changes. There is no change to the policy running on the physical devices.
2. Commit to Device Group. This makes the now committed changes in Panorama be pushed to the physical devices. The policy on the physical devices is now updated per the changes in Panorama.

Changes will also be made to the device group heirarchy such that:
– Each organization will have a “parent device group”. In the parent device group policies and objects can be made that will be automatically inherited to child device groups.
– Each virtual firewall (vsys) will be in it’s own device group under the parent device group. This allows you to create “global” rules and objects for all vsys in one place, and specific rules and objects for a specific vsys in another place. Objects made in a child device group can be promoted to a parent device group if needed at a later time.
– Firewall policy inheritance will work like this “Shared” Pre Rules (Centrally Managed) -> “Parent Device Group” Pre Rules -> “Child Device Group” Pre Rules -> “Child Device Group” Post Rules -> “Parent Device Group” Post Rules -> “Shared” Post Rules (Centrally Managed) -> Default Rules (Centrally Managed)

Zones and log forwarding profiles:
– Zones will become generic names. Zones will be Inside (formerly ORG-Trust) and Outside (formerly ORG-Untrust). This allows the use of zones at the parent or device group policy level, which is not possible today.
– Log forwarding profiles will also become a generic name, syslog-forwarding. This allows the use of log forwarding profiles at the parent or device group policy level, which is not possible today.

More information: Notice of Changes to Data Center Firewall Management (Panorama)

Story added 29. August 2017, content source with full text you can find at link above.