Migrate from an M-500 Appliance to an M-700 Appliance

Plan the migration.
Ensure that both the M-500 appliance and the intermediate Panorama virtual appliance are running the same PAN-OS version. Upgrade the M-700 appliance to a recommended supported PAN-OS version.
In the second phase of the migration, before migrating the configurations from the Panorama Virtual appliance to the M-700 appliance, you must upgrade the Panorama virtual appliance to the same PAN-OS version that is running on the M-700 appliance. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
Ensure that the M-500 appliance, the intermediate Panorama virtual appliance, and the M-700 appliance are on the same system mode.
Schedule a maintenance window for the migration. Firewalls can buffer logs after the M-500 appliance goes offline and then forward the logs after the M-700 appliance comes online. However, completing the migration during a maintenance window ensures that the logs do not exceed the buffer capacities and are not lost during the transition between the Panorama models.
Purchase the new M-700 appliance, and migrate your subscriptions to the new appliance.
Purchase the new M-700 appliance.
Purchase the new support license and migration license.
When purchasing the new M-700 appliance, provide your sales representative with the serial number and device management auth-code of the M-700 appliance that you are phasing out, and the date when you expect your migration. After you receive the M-700 appliance, register it and activate the device management and support licenses by using the migration and support auth-codes from Palo Alto Networks. On the migration date, the device management license on the M-500 will be decommissioned, preventing you from managing devices or collecting logs using the M-500 appliance. However, the support license is preserved and the Panorama appliance remains under support. You can complete the migration after the effective date, but you will not be able to commit any configuration changes on the decommissioned M-500 appliance. Palo Alto Networks allows up to a 90 day migration grace period when migrating between M-Series appliances. Contact your Palo Alto Networks sales representative for more information about your migration.
Obtain and apply an evaluation or temporary license on the intermediate Panorama virtual appliance.
Log in to the Palo Alto Networks Customer Support Portal.
Select
Assets
Devices
Register New Device
.
In the
Device Type
window, select
Register device using Serial Number or Authorization Code
, and click
Next
.
To activate the Panorama software, enter the serial number you received in the
Request for Software Evaluation Approved
email.
If you plan to use the Panorama software offline, select
Device will be used Offline
, and enter the required information.
Review the EULA and Support Agreement.
If you agree, click
Agree
and
Submit
.
After successful registration, the Assets screen displays the newly registered and activated Eval Panorama.
Perform the initial setup of the intermediate Panorama virtual appliance. For details, see Perform the initial setup of the Panorama virtual appliance.
Edit the M-500 interface configuration to use only the management interface.
The Panorama virtual appliance supports only the management interface for device management and log collection.
Log in to the Panorama web interface of the M-Series appliance.
Select
Panorama
Setup
Management
.
Edit the
General Settings
, modify the
Hostname
, and click
OK
.
Select
Panorama
Setup
Interfaces
Management interface
, and enable the required services.
Disable the services for the other interfaces.
Select
Commit
Commit to Panorama
.
Export the Panorama configuration from the M-500 appliance.
Log in to the Panorama web interface.
Select
Panorama
Setup
Operations
.
Click
Save named Panorama configuration snapshot
, enter a
Name
to identify the configuration, and click
OK
.
Click
Export named Panorama configuration snapshot
, select the
Name
of the configuration you just saved, and click
OK
.
Panorama exports the configuration to your client system as an XML file.
Load the Panorama configuration snapshot that you exported from the M-500 appliance into the Panorama virtual appliance.
The Panorama
Policy
rule
Creation
and
Modified
dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universally unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
The
Creation
and
Modified
for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
Log in to the Panorama web interface of the Panorama virtual appliance.
Select
Panorama
Setup
Operations
.
Click
Import named Panorama configuration snapshot
.
Browse
for the configuration file you exported from the M-500 appliance, and click
OK
.
Click
Load named Panorama configuration snapshot
, and select the
Name
of the configuration you just imported.
Select a
Decryption Key
(the master key for Panorama) and click
OK
.
Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file. If errors occur, save the errors to a local file. Resolve each error to ensure the migrated configuration is valid.
Log in to the Panorama web interface of the M-700 appliance, select
Panorama
Setup
Interfaces
, and verify that the IP address on the management interface is different from the IP address of the M-500 appliance.
This is to ensure that the connectivity to the Panorama virtual appliance is not disrupted post commit.
Select
Commit
Commit to Panorama
Validate Commit
to review and resolve any configuration issues. Commit the Panorama configuration.
Upgrade the intermediate Panorama virtual appliance to the same version installed on the M-700 appliance.
Export the Panorama configuration from the Panorama virtual appliance.
Log in to the Panorama web interface of the Panorama virtual appliance.
Select
Panorama
Setup
Operations
.
Click
Save named Panorama configuration snapshot
, enter a
Name
to identify the configuration, and click
OK
.
Click
Export named Panorama configuration snapshot
, select the
Name
of the configuration you just saved, and click
OK
.
Panorama exports the configuration to your client system as an XML file.
Perform the initial setup of the M-700 appliance. For details, see Perform the initial setup of the M-Series appliance.
Load the Panorama configuration snapshot that you exported from the Panorama virtual appliance to the M-700 appliance.
The Panorama
Policy
rule
Creation
and
Modified
dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universally unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
The
Creation
and
Modified
for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
Log in to the Panorama web interface of the Panorama virtual appliance.
Select
Panorama
Setup
Operations
.
Click
Import named Panorama configuration snapshot
.
Browse
for the configuration file you exported from the Panorama virtual appliance, and click
OK
.
Click
Load named Panorama configuration snapshot
, and select the
Name
of the configuration you just imported.
Select a
Decryption Key
(the master key for Panorama) and click
OK
.
Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file. If errors occur, save the errors to a local file. Resolve each error to ensure the migrated configuration is valid.
Review the network configuration on the M-700 appliance.
(
Optional
) Log in to the Panorama web interface of the M-500 appliance, select
Panorama
Setup
Operations
, and click
Shutdown Panorama
.
Shut down the M-500 appliance if you plan to have the same IP address on both the M-500 and M-700 appliances.
Log in to the Panorama web interface of the M-700 appliance, select
Panorama
Setup
Interfaces
, and verify the network configuration on the Management interface to ensure that the connectivity to the M-700 appliance is not disrupted post commit.
Ensure that all the interface configurations are set up based on your requirements for the M-700 appliance.
Select
Commit
Commit to Panorama
Validate Commit
to review and resolve any configuration issues. Commit the Panorama configuration.
Generate a new device registration authentication key for managed device connectivity.
In the Panorama web interface of the M-700 appliance, select
Panorama
Device Registration Auth Key
and
Add
a new authentication key.
Configure the authentication key.
Name
—Enter a descriptive name for the authentication key.
Lifetime
—Enter the key lifetime to specify the duration of the validity of the authentication key.
Count
—Enter the number of devices that will use the authentication key for connecting to Panorama.
Device Type
—Specify whether the authentication key may be used for
Firewalls
,
Log Collectors
, or
Any
device.
Click
OK
.
Copy Auth Key
and
Close
.
After you complete the migration, connectivity to the managed firewalls is lost. Recover connectivity to the managed firewalls.
Log in to the firewall CLI.
Reset the secure connection state.
This command resets the managed device connection to Panorama and is irreversible.
admin>
request sc3 reset
Restart the management server on the managed device.
admin>
  debug software restart process management-server
(
Optional
) If the IP address of the M-700 appliance is different from the M-500 appliance, update the panorama-server IP address.
admin> configure
admin# set deviceconfig system panorama local-panorama panorama-server <panorama-ip> [panorama-server-2 <panorama-ha-peer-ip>]
admin# commit
admin# exit
Add the device registration authentication key you copied in Step 16.
admin>
      request authkey set <auth_key>
Verify the managed device connectivity to Panorama.
admin>
show panorama-status
Verify that the IP address of the M-700 appliance appears and the Panorama server
Connected
status displays
yes
.
After you complete the migration, connectivity to the managed log collectors is lost. Recover connectivity to the managed log collectors.
Log in to the Dedicated Log Collector CLI.
Reset the secure connection state.
This command resets the managed device connection to Panorama and is irreversible.
admin>
request sc3 reset
Restart the management server on the managed device.
admin>
  debug software restart process management-server
(
Optional
) If the IP address of the M-700 appliance is different from the M-500 appliance, update the panorama-server IP address.
admin> configure
admin # set deviceconfig system panorama-server <panorama-ip> [panorama-server-2 <panorama-ha-peer-ip>]
admin# Commit
admin# exit
Add the device registration authentication key you copied in Step 16.
admin>
      request authkey set <auth_key>
Verify the managed device connectivity to Panorama.
admin>
show panorama-status
Verify that the IP address of the M-700 appliance appears and the Panorama server
Connected
status displays
yes
.
Select
Commit
Commit to Panorama
Validate Commit
to review and resolve any configuration issues. Commit the Panorama configuration.
Synchronize the M-700 appliance with the managed devices.
Select
Commit
Push to Devices
and
Edit Selections
.
Select all the devices under
Device Groups
,
Templates
, and
Collector Groups
, and click
OK
.
Push your changes.
Select
Panorama
Managed Devices
Summary
, and verify that all the firewalls are connected. Also, verify that the shared policy and template configurations of the firewalls are
In sync
with Panorama.
Select
Panorama
Managed Collectors
, and verify that the configuration status is
In Sync
with Panorama, and the health status is
Green
for all the log collectors.