: Migrate from an M-Series Appliance to a Panorama Virtual Appliance
Focus
Focus

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Table of Contents

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Procedure to migrate from an M-Series appliance to a Panorama virtual appliance on Panorama 9.1
You can migrate the Panorama configuration from an M-100, M-200, M-500, M-600 appliance to a Panorama virtual appliance in Panorama mode. However, you cannot migrate the logs because the log format on the M-Series appliances is incompatible with that on the Panorama virtual appliances. Therefore, if you want to maintain access to the old logs stored on the M-Series appliance, you must continue running the M-Series appliance as a Dedicated Log Collector after the migration and add it to the Panorama virtual appliance as a managed collector.
If your Panorama management server is part of a high availability configuration, you must deploy a second Panorama virtual appliance of the same hypervisor or cloud environment, and purchase the required device management and support licenses. See Panorama HA Prerequisites for a full list of HA requirements.
Policy rule usage data is not preserved when you transition to a different Panorama model. This means that all existing policy rule usage data from the old Panorama is no longer displayed after a successful migration to a new Panorama model. After a successful migration, Panorama begins tracking policy rule usage data based on the date the migration was completed. For example, the
Created
date displays the date the migration was completed.
  1. Plan the migration.
    • Upgrade the M-Series appliance to PAN-OS 9.1 or later release before the migrating to the Panorama virtual appliance. To upgrade Panorama, see Install Content and Software Updates for Panorama. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
    • Schedule a maintenance window for the migration. Although firewalls can buffer logs after the M-Series appliance goes offline and then forward the logs after the Panorama virtual appliance comes online, completing the migration during a maintenance window minimizes the risk that logs will exceed the buffer capacities during the transition to a different Panorama model.
  2. Purchase management and support licenses for the new Panorama virtual appliance.
    1. Contact your sales representative to purchase the new device management and support licenses.
    2. Provide your sales representative the serial number of the M-Series appliance you to plan phase out, the serial number and support auth code you received when you purchased the new Panorama virtual appliance, and the date when you expect your migration from the old device to the new virtual appliance to be completed. Before the migration date, register the serial number and activate support auth code on the new virtual appliance so that you can begin your migration. The capacity auth code on the old M-Series appliance is automatically removed on the expected migration completion date you provided.
  3. Perform the initial setup of the Panorama virtual appliance.
  4. Edit the M-Series appliance Panorama interface configuration to only use the management interface.
    The Panorama virtual appliance supports only the management interface for device management and log collection.
    1. Log in to the Panorama Web Interface of the M-Series appliance.
    2. Select
      Panorama
      Setup
      Management
      .
    3. Edit the General Settings, modify the
      Hostname
      , and click
      OK
      .
    4. Select
      Interfaces
      and edit the
      Management
      interface to enable the required services.
    5. Disable services for the remaining interfaces.
    6. Select
      Commit
      Commit to Panorama
      .
  5. Add the IP address of the new Panorama virtual appliance.
    On the M-Series appliance, add the Public IP address of the Panorama virtual appliance as the second Panorama Server to manage devices from the new Panorama management server. If the Panorama virtual appliance is deployed on AWS, Azure or Google™ Cloud Platform, use the public IP address.
    1. Select
      Device
      Setup
      .
    2. In the Template context drop-down, select the template or template stack containing the Panorama server configuration.
    3. Edit the Panorama Settings.
    4. Enter the Panorama virtual appliance public IP address and click
      OK
      .
    5. Select
      Commit
      Commit and Push
      .
  6. Export the configuration from the M-Series appliance.
    1. Select
      Panorama
      Setup
      Operations
      .
    2. Click
      Save named Panorama configuration snapshot
      , enter a
      Name
      to identify the configuration, and click
      OK
      .
    3. Click
      Export named Panorama configuration snapshot
      , select the
      Name
      of the configuration you just saved, and click
      OK
      . Panorama exports the configuration to your client system as an XML file. Save the configuration to a location external to the Panorama appliance.
  7. Power off the M-Series appliance or assign a new IP address to the management (MGT) interface.
    If the M-Series appliance is in Panorama mode and has logs stored on the local Log Collector that you need access on the new Panorama virtual appliance, you must change the IP address on the M-Series appliance in order to add it to the Panorama virtual appliance as a managed Log Collector.
    • To Power off the M-Series appliance:
    1. Log in to the Panorama web interface.
    2. Select
      Panorama
      Setup
      Operations
      , and under Device Operations,
      Shutdown Panorama
      . Click
      Yes
      to confirm the shutdown.
    • To change the IP address on the M-Series appliance:
    1. Log in to the Panorama web interface.
    2. Select
      Panorama
      Setup
      Management
      , and edit the Management Interface Settings.
    3. Enter the new
      IP Address
      and click
      OK
      .
    4. Select
      Commit
      Commit to Panorama
      and
      Commit
      your changes.
  8. Load the Panorama configuration snapshot that you exported from the M-Series appliance into the Panorama virtual appliance.
    The Panorama
    Policy
    rule
    Creation
    and
    Modified
    dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universially unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
    The
    Creation
    and
    Modified
    for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
    1. Log in to the Panorama web interface of the Panorama virtual appliance, and select
      Panorama
      Setup
      Operations
      .
    2. Click
      Import named Panorama configuration snapshot
      ,
      Browse
      to the Panorama configuration file you exported from the M-Series appliance, and click
      OK
      .
    3. Click
      Load named Panorama configuration snapshot
      , select the
      Name
      of the configuration you just imported, select a
      Decryption Key
      (the master key for Panorama), and click
      OK
      . Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file.
    If errors occurred, save them to a local file. Resolve each error to ensure the migrated configuration is valid. The configuration has been loaded once the commit is successful.
  9. Change the M-Series appliance to Log Collector mode to preserve existing log data.
    Logging data is erased if you change to Log Collector mode while the logging disks are still inserted in the M-Series appliance. Logging disks must be removed before changing mode to avoid log data loss.
    Generating the metadata for each disk pair rebuilds the indexes. Therefore, depending on the data size, this process can take a long time to complete. To expedite the process, you can launch multiple CLI sessions and run the metadata regeneration command in each session to complete the process simultaneously for every pair. For details, see Regenerate Metadata for M-Series Appliance RAID Pairs.
    1. Remove the RAID disks from the old M-Series appliance.
      1. Power off the M-Series appliance by pressing the Power button until the system shuts down.
      2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-Series Appliance Hardware Reference Guides.
    2. Power on the M-Series appliance by pressing the Power button.
    3. If an
      admin
      administrator account already is already created, continue to the next step.
      An
      admin
      account with superuser privileges must be created before you switch to Log Collector mode or you lose access to the M-Series appliance after switching modes.
    4. Log in to the Panorama CLI on the old M-Series appliance.
    5. Switch from Panorama mode to Log Collector mode.
      • Switch to Log Collector mode by entering the following command:
        >
        request system system-mode logger
      • Enter
        Y
        to confirm the mode change. The M-Series appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M-Series appliance to see the Panorama login prompt.
        If you see a
        CMS Login
        prompt, this means the Log Collector has not finished rebooting. Press Enter at the prompt without typing a username or password.
      • Log back in to the CLI.
      • Verify that the switch to Log Collector mode succeeded:
        >
        show system info | match system-mode
        If the mode change succeeded, the output displays:
        >
        system-mode: logger
    6. Insert the disks back into the old M-Series appliance. For details, refer to the disk replacement procedure in the M-Series Appliance Hardware Reference Guides.
      You must maintain the disk pair association. Although you can place a disk pair from slot A1/A2 on the into slot B1/B2, you must keep the disks together in the same slot; otherwise, Panorama might not restore the data successfully.
    7. Enable the disk pairs by running the following CLI command for each pair:
      >
      request system raid add
      <slot>
      force no-format
      For example:
      >
      request system raid add A1 force no-format
      >
      request system raid add A2 force no-format
      The
      force
      and
      no-format
      arguments are required. The
      force
      argument associates the disk pair with the new appliance. The
      no-format
      argument prevents reformatting of the drives and retains the logs stored on the disks.
    8. Generate the metadata for each disk pair.
      >
      request metadata-regenerate slot
      <slot_number>
      For example:
      >
      request metadata-regenerate slot 1
    9. Enable connectivity between the Log Collector and Panorama management server.
      Enter the following commands at the Log Collector CLI, where
      <IPaddress1>
      is for the MGT interface of the solitary (non-HA) or active (HA) Panorama and
      <IPaddress2>
      is for the MGT interface of the passive (HA) Panorama, if applicable.
      >
      configure
      #
      set deviceconfig system panorama-server
      <IPaddress1>
      panorama-server-2
      <IPaddress2>
      #
      commit
      #
      exit
  10. Synchronize the Panorama virtual appliance with the firewalls to resume firewall management.
    Complete this step during a maintenance window to minimize network disruption.
    1. On the Panorama virtual appliance, select
      Panorama
      Managed Devices
      and verify that the Device State column displays the firewalls as
      Connected
      .
      At this point, the Shared Policy (device groups) and Template columns display
      Out of sync
      for the firewalls.
    2. Push your changes to device groups and templates:
      1. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      2. Select
        Device Groups
        , select every device group, and
        Include Device and Network Templates
        .
      3. Select
        Collector Groups
        , select every collector group, and click
        OK
        .
      4. Push
        your changes.
    3. In the
      Panorama
      Managed Devices
      page, verify that the Shared Policy and Template columns display
      In sync
      for the firewalls.
  11. (
    HA only
    ) Modify the Panorama virtual appliance HA peer configuration.
    1. On an HA peer, Log in to the Panorama Web Interface, select
      Panorama
      High Availability
      and edit the
      Setup
      .
    2. In the
      Peer HA IP Address
      field, enter the new IP address of the HA peer and click
      OK
      .
    3. Select
      Commit
      Commit to Panorama
      and
      Commit
      your change
    4. Repeat these steps on the other peer in the HA peer.
  12. (
    HA only
    ) Synchronize the Panorama peers.
    1. Access the
      Dashboard
      on one of the HA peers and select
      Widgets
      System
      High Availability
      to display the HA widget.
    2. Sync to peer
      , click
      Yes
      , and wait for the
      Running Config
      to display
      Synchronized
      .
    3. Access the
      Dashboard
      on the remaining HA peer and select
      Widgets
      System
      High Availability
      to display the HA widget.
    4. Verify that the
      Running Config
      displays
      Synchronized
      .

Recommended For You