Update Your Panorama Registration
Table of Contents
Update Your Panorama Registration
Regenerate your registration string to simplify your deployments.
You can modify the Panorama parameters after you have registered the Cloud NGFW with
Panorama. You generate a new registration string in Panorama and update your Cloud
NGFW resource when you make the following changes:
- Migrate a Cloud NGFW resource from one Panorama to another Panorama.
- Add a log collector to Panorama after deploying the Cloud NGFW resource.
- Move the Cloud NGFW to a different cloud device group.
- Modify the Panorama IP address after deploying the Cloud NGFW resource.
Consider the following:
- The update process involves a rolling upgrade. During this time there is a brief period where some Cloud NGFW resources may be connected to an older Panorama instance while other resources are connected to a new one. This process ensures continuous protection to all Cloud NGFW resources.
- Palo Alto Networks recommends that you don’t push any configuration changes in Panorama to ensure consistency across all Cloud NGFW resources during the update process.
- The feature currently supports updates to the Panorama IP address, a cloud device group, a template stack, or a log collector.
- The update process may take long for deployments containing a large number of firewall instances to ensure thorough validation and a smooth transition.
Requirements
To simplify onboarding with your Cloud NGFW resource, you’ll need the following:
- Panorama versions 10.2, 11.0, 11.1, 11.2 or later.
- Use the Azure plugin for Cloud NGFW version 5.2.2 or greater.
Generate a New Registration String
You'll need to generate a new Panorama registration string from your Panorama
instance to update your Panorama registration in the Azure Portal by following
these steps:
- Log into Panorama.
- Select the Panorama tab in the upper portion of the web interface.
- In the Azure plugin section, select Cloud NGFW. Previously created Cloud Device Groups appear if they were established for the Cloud NGFW resource using Azure.
- Select the Cloud Device Group and make any necessary changes.See Use Panorama for Cloud NGFW Policy Management for information about adding a new Cloud Device Group, or changing elements of an existing one (for example, change the template stack, update the Panorama IP address or the Panorama HA peer IP address.)
- Click Generate to display the registration string, then commit your changes.
- In the Registration String screen, click Copy Registration String.
- Log in to the Azure Portal.
- Select the Cloud NGFW, then navigate to Settings > Security Policies to update the generated configuration string.
The following table illustrates the states associated with the Health Status:
Config String Update Provision State Health Status Health Reason Accepted Degraded - Config string verification failed - not able to connect to Panorama
- Unable to apply config string to FW - not able to connect to Panorama
Succeeded Healthy Config string successfully applied
Migrate a Panorama Instance
Use this procedure to migrate one Panorama instance to another Panorama:
- Log in to your first Panorama instance.
- Select Panorama>Setup>Operations and click Save named Panorama configuration snapshot.
- Select Panorama>Setup>Operations and click Export named Panorama configuration snapshot. Save the file with a .XML extension.
- Log in to your second Panorama instance.
- Select Panorama>Azure>Cloud NGFW>Create Cloud Device Group.
- Select Panorama>Setup>Operations and click Import named Panorama configuration snapshot; load the file you previously created in step 3.
- Select Panorama>Setup>Operations and click Load named Panorama configuration snapshot.
- Modify the cloud device group (with Collector Groups, if any), then commit the change.
- Generate the registration string and update the existing firewall.