Merge Palo Alto Panorama Devices into a Single Cluster in SecureTrack

The tool converts two Palo Alto Panorama HA Active-Passive cluster devices that were monitored as separate standalone devices in SecureTrack into a single Panorama cluster device in SecureTrack. This tool will:

  • Delete the Active and Passive devices.
  • Remove the revision, rule, and object usage history from the Cluster and Passive devices.

  • Copy all the revision, rule and object usage history from the Active to the Cluster device.

    The cluster being converted must be an Active-Passive Panorama cluster monitored by Panorama 6 or 6.1, where the Palo Alto devices are already being monitored as separate devices in SecureTrack. The cluster cannot be Active-Active.

If this is a new cluster being added to SecureTrack, it can be imported directly and a conversion will not be required. See Adding Palo Alto Panorama Devices.

Overview

The steps for the conversion process are:

  1. Import the Panorama cluster device. This will add a new device to the managed devices, the cluster management device.

    You must have sufficient device licenses to add the new device. Contact support if you do not have a free device license.

  2. Determine the id of the Cluster, Active, and Passive devices.
  3. Run the conversion tool.

    This step will replace the three devices with a single device representing the HA cluster, using the ids identified in the prior step.

    We recommend that you run the conversion tool immediately after the upgrade to preserve the revision, rule, and object history of the active HA device.

Prior to starting the conversion process, you will have two standalone Palo Alto devices listed in your list of devices.

To convert the standalone devices to a cluster:

  1. Import the Panorama cluster - see Adding Palo Alto Panorama Devices.

    After running the import, you will have three devices listed for each cluster: Cluster, Active, and Passive.

  2. Determine the id of each device in the cluster.

    To get the ID of a device,

    • Either use the command line on the SecureTrack host:

      # st stat
    • Or click the device in the SecureTrack device tree in Compare > Compare Revisions, and type the letter t

    The device ids in this example are Cluster: 24, Active: 11, Passive: 2.

  3. Log into SecureTrack as an Administrator.

  4. In the address bar of your browser, add /tools to the SecureTrack base URL.

    For example: https://192.168.1.1/tools

  5. Click Convert Palo Alto cluster standalone to Secure Track Palo Alto cluster.

    The conversion tool appears.

  6. Enter the three IDs. The device ids in this example are Cluster: 24, Active: 11, Passive: 2.
  7. Click Update.