Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
Table of Contents
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
- Install the Device Certificate for a Dedicated Log Collector
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Admin Role Profile for Selective Push to Managed Firewalls
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
- Configure Tracking of Administrator Activity
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Device Group Push to a Multi-VSYS Firewall
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Schedule a Configuration Push to Managed Firewalls
- Redistribute Data to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Configure a Managed Collector
- Monitor Managed Collector Health Status
- Configure Log Forwarding to Panorama
- Configure Syslog Forwarding to External Destinations
- Forward Logs to Cortex Data Lake
- Verify Log Forwarding to Panorama
- Modify Log Forwarding and Buffering Defaults
- Configure Log Forwarding from Panorama to External Destinations
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
-
-
- Preview, Validate, or Commit Configuration Changes
- Commit Selective Configuration Changes for Managed Devices
- Push Selective Configuration Changes to Managed Devices
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- View Task Success or Failure Status
- Generate a Stats Dump File for a Managed Firewall
- Recover Managed Device Connectivity to Panorama
- Restore an Expired Device Certificate
Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
Migrate a firewall HA pair in an active/active or active/passive configuration to
Panorama™ management and push a new configuration.
This procedure overwrites the local firewall configuration with the configuration
pushed from Panorama.
Migrate a firewall high availability (HA) pair to Panorama management and create a
new Panorama-managed configuration using device groups and template stacks.
To migrate a firewall HA pair to Panorama management and reuse the existing
configuration, see Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration.
Panorama can import configurations from firewalls that run PAN-OS 5.0 or later
releases and can push configurations to those firewalls. The exception is that
Panorama 6.1 and later releases cannot push configurations to firewalls running
PAN-OS 6.0.0 through 6.0.3.
Panorama can import configurations from firewalls that are already managed
devices but only if they are not already assigned to device groups or
templates.
- Plan the migration.See the checklist in Plan the Transition to Panorama Management.
- Disable configuration synchronization between the HA peers.Repeat these steps for both firewalls in the HA pair.
- Log in to the web interface on each firewall, selectand edit the Setup section.DeviceHigh AvailabilityGeneral
- ClearEnable Config Syncand clickOK.
- Committhe configuration changes on each firewall.
- Add the firewall as a managed device.See Add a Firewall as a Managed Device for more information on adding a firewall to Panorama management.
- SelectandPanoramaDevice Registration Auth KeyAdda new authentication key.Copy Auth Keyafter you successfully create the device registration authentication key.
- SelecttoPanoramaManaged DevicesSummaryAdda firewall as a managed device.
- Enter the serial number of each firewall in the HA pair and clickOK.To add multiple firewalls at the same time, enter the serial number of each one on a separate line.
- SelectandCommitCommit to PanoramaCommityour changes.
- Set up a connection from the firewall to Panorama.Repeat these steps for both firewalls in the HA pair.
- Selectand edit the Panorama Settings.DeviceSetupManagement
- In thePanorama Serversfields, enter the IP addresses of the Panorama management server.
- Paste theAuth Keyyou copied in the previous step.
- ClickOKandCommit.
- On the Panorama web interface, selectand verify that thePanoramaManaged DevicesSummaryDevice StateisConnected.
- Repeat this step to create as many device groups as needed to logically group your firewall configurations. Device groups are required to manage device group objects and policies. Learn more about how to manage your device groups.You must add the HA peers to the same device group.
- Create a template and template stack.Templates and template stacks are used to configure the firewallNetworkandDevicesettings that enable firewall to operate on the network.
- Repeat this step to create as many templates as needed to define your required networking configurations.
- Repeat this step to create as many template stacks as needed to quickly apply your defined networking configurations. When you create a template stack, assign the relevant templates and managed firewalls.You must add the HA peers to the same template stack.
- Configure the device groups, templates, and template stacks as needed.
- Push the device group and template stack configuration changes to your managed firewalls.You must first push the device group and template stack configuration to yourpassiveorActive-SecondaryHA peer first and then to theactiveorActive-PrimaryHA peer.
- Log into the firewall web interface of thePassiveorActive-SecondaryHA peer and selecttoDeviceHigh AvailabilityOperational CommandsSuspend local device for high availability.
- Push the Panorama managed configuration to thesuspendedHA firewall.
- SelectandCommitPush and PushEdit Selectionsto modify the Push Scope.
- Disable this setting if you manage and commit local firewall configuration changes independently of the Panorama managed configuration.Merge with Device Candidate Config—This setting is enabled by default and merges any pending local firewall configurations with the configuration push from Panorama. The local firewall configuration is merged and committed regardless of the admin pushing the changes from Panorama or the admin who made the local firewall configuration changes.
- Force Template Values—Overwrites any local firewall configurations with those in the template stack configuration pushed from Panorama in the event of conflicting values.This setting is enabled by default. Enable this setting to overwrite any conflicting firewall configurations with those defined in the template or template stack. Before enabling this setting, review any overridden values to ensure an outage does not occur.
- InDevice GroupsandTemplates, select the suspended HA firewall.
- ClickOKandPush.
- In the firewall web interface of the suspendedpassiveorActive-SecondaryHA peer and selecttoDeviceHigh AvailabilityOperational CommandsMake local device functional for high availability.
- Log into the firewall web interface of theactiveorActive-PrimaryHA peer and selecttoDeviceHigh AvailabilityOperational CommandsSuspend local device for high availability.
- Repeat Step 2 to push the Panorama managed configuration to thesuspendedHA peer.
- Log into the firewall web interface of the suspendedactiveorActive-PrimaryHA peer and selecttoDeviceHigh AvailabilityOperational CommandsMake local device functional for high availability.
- In the Panorama web interface, select, and verify that the device group and template are in sync for HA firewalls. Verify policy rules, objects and network settings on the passive firewall match the active firewall.PanoramaManaged DevicesSummary
- Selectand verify that thePanoramaManaged DevicesSummaryShared PolicyandTemplatestatus isIn Syncfor the newly added firewalls.On the firewall web interface, verify that configuration objects display a green cog, signifying that the configuration object is pushed from Panorama.
- Perform your post-migration test plan.Perform the verification tasks that you devised during the migration planning to confirm that the firewalls work as efficiently with the Panorama-pushed configuration as they did with their original local configuration: see Create a post-migration test plan.