Panorama Required Ports

[Julia Dodoo]

1Perform hardware installation of PA-5220 including all the SFP modules. Perform initial configuration to bring management interface online and install all the licenses, PAN-OS upgrades, Application/Threat packages.

2.) Since your PA-5220 is replacing existing Firewall, I assume it is going to be using identical configuration. In this case, I would place the new PA-5220 into the same Template Stack as the existing PA-5020. Depending on your Device Group hierarchy, I would do the same to place PA-5220 into the same Device Group. As a next step, I would push the configuration from Panorama to PA-5220, then if there is no issue I would plan actual cut over.

3.) Before actual migration, I would pre-prepared all the cables and SFP modules. During the time of cut over, I would move cables one by one from old Firewall to new one. For the migration to new 40G connection, I would unplug cable from old Firewall and plug new 40G SFP connection to new Firewall. If there is no IP address change, then unless there is a physical connection issue / SFP issue or Fiber TX/RX swap, all should start to work with traffic being forwarded again. If traffic is not passing through even though all connections are up, I would check ARP table of switches on each side of the Firewall. In the case it is still pointing to MAC address of old Firewall, I would delete that entry and new ARP entry will be mapped to correct MAC address.

Alternative way, would be to cable all the ports on PA-5220, but keep ports shut down on switch side to prevent IP address duplication. On the day of cut over just shut down ports on the switch facing old Firewall and un-shut ports facing new Firewall. This might be quicker than manually moving cables across.

Myself, I went through similar migration a few years ago from PA-5060 to PA-5260 in high pressure environment where only minimum downtime was allowed. Both old and new Firewalls were in HA (Active/Standby pair). I do not exactly recall sequence of all the steps we have done, but in nutshell we have pre-prepared all the configuration between old and new Firewall on one to one bases. We have pre-cabled everything, but kept ports shut down. On the day of cut over we shut down ports facing old switch and un-shut ports facing new switch. Since we had an HA pair, we had luxury to have more control which Firewall will forward traffic. The only issue we came across, the new Firewall did not send GARP which required manual intervention.

Checking PA documentation, I can only see references about how to integrate both HA peers or a standalone firewall but do not mention anything specific about how to add an HA peer to Panorama when the other peer is already managed by Panorama as a standalone.

The existing firewall should keep its configuration in panorama, just adding the HA functionality and becoming the primary node in the cluster. The new firewall should just be added to the existing firewall as a secondary node in the cluster.

I have not done this exact scenario before. All HA Firewalls I managed were right from the initial setup managed by Panorama. If I were about to do the same what your customer is planning to do, I would follow below steps.

In Panorama, register additional PA-820 in the same Device Group / Template Stack as existing Firewall, then push the configuration to new PA-820. If there is no issue, then I would proceed with HA configuration. If HA function is going to be managed through Panorama, then follow this KB: How to use one Template stack for a high availability Firewall Pair on Panorama to set up Template for HA feature. Make sure that device priority is set correctly to make existing Firewall is primary active: Understanding Preemption with the Configured Device Priority in HA Active/Passive Mode. If there is no error with pushing HA related configuration, then I would proceed with next step.

I would connect HA ports, then make sure that both Firewalls assume respective active role for existing Firewall and passive for new Firewall. If there is no issue with HA synchronization / incompatibility, then I would connect all data plane cables to new Firewall, then perform a failover to make sure there is no issue with traffic flow and interfaces, then fail back.

My thought is to configure HA local, commit it to the firewalls and then add the new firewall to the device group and template stack. The issue I am running into as soon as I commit the config on the active firewall it becomes passive and the network goes down. Fortunately I have the panorama setting comitt recovery enabled so it comes back up uncommited.

In the server what I do is that I modify the rsyslog.com file to open the 514 ports and at the end I add a line so that the logs that I detect coming in are stored in a folder with system-xxxxxx/YYYYY/MM/DD format.

But in this case the admin of the firewall insists on sending the logs of all the firewalls through Panorama, the problem I have is that my server detects the IP of panorama or the host name and I only get 1 .log file that stores the logs of all the sources and I don't know if Logstash is able to process so much information.

Personally I do not like this approach of receiving with syslog, writing to a file and reading from that file, I prefer to send the logs directly from the firewall to logstash using an UDP or TCP input as this will use less I/O and less CPU in my experience.

Skype for Business Server requires that specific ports on the external and internal firewalls are open. Additionally, if Internet Protocol security (IPsec) is deployed in your organization, IPsec must be disabled over the range of ports used for the delivery of audio, video, and panorama video.

While this might seem a bit daunting, the heavy lifting for planning this can be done using the Skype for Business Server 2015 Planning Tool. Once you've gone through the wizard's questions about what features you plan to use, for each site you define you can view the Firewall Report within the Edge Admin Report, and use the information listed there to create your firewall rules. You can also make adjustments to many of the names and IP addresses used, for details see Review the Firewall Report. Keep in mind you can export the Edge Admin Report to an Excel spreadsheet, and the Firewall Report will be one of the worksheets in the file.

When Skype for Business Server starts, it opens the required ports in the Windows Firewall. Windows Firewall should already be running in most normal applications, but if it is not being used Skype for Business Server will function without it.

Some remote call control scenarios require a TCP connection between the Front End Server or Director and the PBX. Although Skype for Business Server no longer uses TCP port 5060, during remote call control deployment you create a trusted server configuration, which associates the RCC Line Server FQDN with the TCP port that the Front End Server or Director will use to connect to the PBX system. For details, see the CsTrustedApplicationComputer cmdlet in the Skype for Business Server Management Shell documentation.

Your Front End pools and Director pools that use DNS load balancing also must have a hardware load balancer deployed. The following table shows the ports that need to be open on these hardware load balancers.

The ports that are used for external user access are required for any scenario in which the client must traverse the organization's firewall (for example, any external communications or meetings hosted by other organizations).

For enterprise networks where Internet Protocol security (IPsec) (see IETF RFC 4301-4309) has been deployed, IPsec must be disabled over the range of ports used for the delivery of audio, video, and panoramic video. The recommendation is motivated by the need to avoid any delay in the allocation of media ports due to IPsec negotiation.

And while I've sailed a similar itinerary on Holland and Princess, I find that the Carnival Panorama offers a similar experience for far cheaper and doesn't skimp on activities, dining, and exciting places to visit.

I have booked a variety of cabin sizes on the Carnival Panorama, but I find an entry-level inside stateroom offers enough space and amenities, and choosing one is the best way to trim my overall budget.

Unlike other cruise lines, there was no single supplement to sail solo in my stateroom. This not only saved me money but precious square footage as my single cabin came with just one bed, as opposed to the usual two. This meant I had more room to spread out and I never felt cramped.

Like other cruise ships I've experienced, my cabin bathroom was petite, but included a shower stall, a sink with mirrors above, a storage shelf beneath, and so many towels I was never wanting for more.

3a8082e126