Use Case - Migrate Your Next-Generation Firewalls to Panorama

1. Planning is key—before you start the migration, make sure you have understood the following:
   • Review the Palo Alto Networks Compatibility Matrix to understand compatibility between Panorama and firewalls, across Log Collectors, and content versions to ensure no compatibility errors are encountered during migration.
   • Plan your device group and template hierarchy in such a way that reduces redundancy and streamlines the management of settings that are shared among all firewalls within a set of firewalls.
   • Prepare a post-migration test plan to verify that to verify critical traffic and application traffic after you successfully migrate your firewall to Panorama.
2. When you migrate a firewall to Panorama management, enable import devices’ shared objects into Panorama’s shared context to avoid duplicating identical configuration objects.
3. After a successful migration, review the Policies to identify any duplicate rules. Delete one of each duplicate rule before you Commit to Panorama to avoid commit errors.
4. When you Export or push device config bundle to your managed firewalls, enable Merge with Candidate Config, Include Device and Network Templates, and Force Template Values to force a commit for any pending local changes on the firewall, include all device groups and templates in the push, and delete any local configurations not present in a device group or template on Panorama. This ensures a baseline configuration managed by Panorama is pushed to all firewalls migrated to Panorama.
5. Perform your post-migration tests to verify that the migration is successful and that everything is working as intended. Over time, optimize the configuration as needed. Use migration tools like Expedition the to periodically asses your configuration hygiene by removing any unused or duplicate objects and the Policy Optimizer to optimize your Security policy rulebase.