: Use Case - Migrate Your Next-Generation Firewalls to Panorama
Focus
Focus

Use Case - Migrate Your Next-Generation Firewalls to Panorama

Table of Contents

Use Case - Migrate Your Next-Generation Firewalls to Panorama

Best practice for migrating your Next-Generation firewalls to your Panorama™ management server.
The second use case for getting started with the Panorama™ management server is to Transition existing firewalls to Panorama. If possible, work with your Palo Alto Networks Sales Engineer or Professional Services Engineer during the migration to ensure your firewall configurations are correctly migrated to Panorama.
  1. Planning is key—before you start the migration, make sure you have understood the following:
    • Review the Palo Alto Networks Compatibility Matrix to understand compatibility between Panorama and firewalls, across Log Collectors, and content versions to ensure no compatibility errors are encountered during migration.
    • Plan your device group and template hierarchy in such a way that reduces redundancy and streamlines the management of settings that are shared among all firewalls within a set of firewalls.
    • Prepare a post-migration test plan to verify that to verify critical traffic and application traffic after you successfully migrate your firewall to Panorama.
  2. When you migrate a firewall to Panorama management, enable
    import devices’ shared objects into Panorama’s shared context
    to avoid duplicating identical configuration objects.
  3. After a successful migration, review the
    Policies
    to identify any duplicate rules. Delete one of each duplicate rule before you
    Commit
    to Panorama to avoid commit errors.
  4. When you
    Export or push device config bundle
    to your managed firewalls, enable
    Merge with Candidate Config
    ,
    Include Device and Network Templates
    , and
    Force Template Values
    to force a commit for any pending local changes on the firewall, include all device groups and templates in the push, and delete any local configurations not present in a device group or template on Panorama. This ensures a baseline configuration managed by Panorama is pushed to all firewalls migrated to Panorama.
  5. Perform your post-migration tests to verify that the migration is successful and that everything is working as intended. Over time, optimize the configuration as needed. Use migration tools like Expedition the to periodically asses your configuration hygiene by removing any unused or duplicate objects and the Policy Optimizer to optimize your Security policy rulebase.

Recommended For You