>
    Strata Copilot
    Migrating VM-Series to AI Runtime Firewall (AIRS VM)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Activation & Onboarding
    4. Migrate VM-Series to AI Runtime Firewall (AIRS VM)
    5. Migrating VM-Series to AI Runtime Firewall (AIRS VM)
    Download PDF
    Prisma AIRS

    Migrating VM-Series to AI Runtime Firewall (AIRS VM)

    Table of Contents

    Migrating VM-Series to AI Runtime Firewall (AIRS VM)

    Migrate VM-Series firewalls to AI Runtime Firewall (AIRS VM) using Panorama, Strata Cloud Manager, or a standalone firewall.
    Where Can I Use This?What Do I Need?
    • AI Runtime Firewall (AIRS VM)
    • VM-Series
    • VM-Series Firewall licensed by Software NGFW Credits
    • PAN-OS® 11.2.13 or later or 12.1.7 or later (for single image)
    • Panorama management server running at the same or a higher PAN-OS version or
      Strata Cloud Manager (SCM)
    This procedure outlines the steps to migrate an entire deployment profile from VM-Series to AI Runtime Firewall (AIRS VM).

    Migration on Panorama Managed Firewalls

    1. Log in to the Customer Support Portal.
    2. Navigate to SWFW Credits and identify the deployment profile you want to migrate.
    3. Click Options > Edit Profile.
    4. Toggle the Firewall Type option from VM-Series to Prisma AIRS.
    5. (Optional) Add or remove subscriptions as needed.
    6. Click Update Deployment Profile to save changes.
    7. Click View Devices.
      After the migration is completed, you will observe the following on the Software NGFW Devices page:
      • The authcode of the firewall remains the same.
      • The Deployment Profile Product Type changes to VM or VM-AI based on migration.
      • Software NGFW devices change to AI-powered under the serial number.
      • For the firewalls managed by Panorama, once the migration is complete on the CSP, a license refresh must be initiated from Panorama. This can be accomplished through either of the following methods:
        • Manually refresh the license through Managed Devices.
        • Utilize the nightly refresh job in Panorama.
      If your deployment profile contains more than 200 firewalls, the migration cannot be performed from the CSP. Contact support to facilitate this migration.

    Manual License Refresh through Managed Devices

    1. Ensure that the Panorama has connectivity to the PaloAlto update server.
    2. Navigate to Managed Devices to identify and select the specific firewalls for immediate migration and click Refresh. After the license update is complete, the firewall licenses will be updated and the model change is displayed.
    3. To confirm the migration, inspect the Licenses section to ensure the new AIRS license is updated. This update can also be verified directly on the device.

    Nightly License Refresh on Panorama

    Panorama runs an automated nightly job to ensure license refreshes.
    For firewalls managed by Panorama, it is necessary to re-push the Traffic Objects and AI Profile settings to the newly migrated AIRS firewall.

    High Availability (HA) Support

    HA pairs can be migrated through Strata Cloud Manager or Panorama by following the steps 1-7 in Migration on Panorama Managed Firewalls section.

    Migrating AI Runtime Firewall (AIRS VM) to VM-Series

    To migrate from the AI Runtime Firewall (AIRS VM) back to the VM-Series follow the steps 1-7 in n Migration on Panorama Managed Firewalls section. Ensure that in step 4, you switch the Firewall Type selection from Prisma AIRS to VM-Series.
    Migrating AI Runtime Firewall (AIRS VM) to VM-Series would consume lesser credits and the system checks for available credits and re-calculates it.

    Migration of Standalone Firewalls

    To migrate standalone firewall to AI Runtime Firewall (AIRS VM):
    1. Log in to the Customer Support Portal.
    2. Navigate to SWFW Credits and identify the deployment profile you want to migrate.
    3. Click Options > Edit Profile.
    4. Toggle the Firewall Type option from VM-Series to Prisma AIRS.
    5. (Optional) Add or remove subscriptions as needed.
    6. Click Update Deployment Profile to save changes.
    7. Click View Devices.
      After the migration is completed, you will observe the following on the Software NGFW Devices page:
      • The authcode of the firewall remains the same.
      • The Deployment Profile Product Type changes to VM or VM-AI based on migration.
      • Software NGFW device changes to AI-powered under the serial number.
    8. Refetch the license on the device.
    9. The model is updated, after the license is applied.

    High Availability (HA) Support

    HA pairs can be migrated through Strata Cloud Manager or Panorama by following the steps 1-7 in Migration of Standalone Firewalls section.
    For standalone pairs, an interim model mismatch will occur during migration, which temporarily prevents the synchronization of running configurations. To manage this, it is recommended that you refresh the license on the passive device first, followed by the active device.

    Migrating AI Runtime Firewall (AIRS VM) to VM-Series

    To migrate from the AI Runtime Firewall (AIRS VM) back to the VM-Series follow the steps 1-7 in Migration of Standalone Firewalls section. Ensure that in step 4, you switch the Firewall Type selection from Prisma AIRS to VM-Series.
    Migrating AI Runtime Firewall (AIRS VM) to VM-Series would consume lesser credits and the system checks for available credits and re-calculates it.

    Migration on Strata Cloud Manager Managed Firewalls

    To migrate Strata Cloud Manager managed VM-Series firewall to AI Runtime Firewall (AIRS VM):
    1. Log in to the Customer Support Portal.
    2. Navigate to SWFW Credits and identify the deployment profile you want to migrate.
    3. Click Options > Edit Profile.
    4. Toggle the Firewall Type option from VM-Series to Prisma AIRS.
    5. (Optional) Add or remove subscriptions as needed.
    6. Click Update Deployment Profile to save changes.
    7. Click View Devices.
      After the migration is completed, you will observe the following on the Software NGFW Devices page:
      • The authcode of the firewall remains the same.
      • The Deployment Profile Product Type changes to VM or VM-AI based on migration.
      • Software NGFW device changes to AI-powered under the serial number.
      For Strata Cloud Manager managed devices, the license fetch is triggered automatically once the migration is completed on the CSP.
    8. Login to the Strata Cloud Manager console and access your tenant to view the revised firewall models after the migration is completed.
      1. Device Associations: Navigate to System Settings > Device Associations and view the model updated as AI Runtime Firewall.
      2. Device Management: Navigate to Device Management. The folder containing the devices associated with the migrated deployment profile will show the updated model. The new model details will also be displayed across various subscriptions, including AIOps, Cloud Identity Engine, Strata Logging Service and Command Center.

    High Availability (HA) Support

    HA pairs can be migrated through Strata Cloud Manager by following the steps 1-7 in Migration on Strata Cloud Manager Managed Firewalls section.

    Migrating AI Runtime Firewall (AIRS VM) to VM-Series

    To migrate from the AI Runtime Firewall (AIRS VM) back to the VM-Series follow the steps 1-7 in Migration on Strata Cloud Manager Managed Firewalls section. Ensure that in step 4, you switch the Firewall Type selection from Prisma AIRS to VM-Series.
    Migrating AI Runtime Firewall (AIRS VM) to VM-Series would consume lesser credits and the system checks for available credits and re-calculates it.

    © 2026 Palo Alto Networks, Inc. All rights reserved.