Prisma Access
Migrate Prisma Access from Panorama to Strata Cloud Manager
Table of Contents
Migrate Prisma Access from Panorama to Strata Cloud Manager
Prisma Access
from Panorama to Strata Cloud Manager
Migrate your Prisma Access deployment from Panorama to Strata Cloud
Manager.
Where Can I Use This? | What Do I Need? |
|---|---|
|
|
If you have an existing
Prisma Access
Deployment for which the configuration is
managed by Panorama and want to migrate to Strata Cloud Manager
for configuration
management, Palo Alto Networks offers an in-product workflow that lets you migrate
your existing Prisma Access
configuration to Strata Cloud Manager
.Managing your
Prisma Access
configuration using Strata Cloud Manager
instead of
Panorama can offer you benefits such as:- Continuous best practice assessments
- Secure default configurations
- Machine Learning (ML)-based configuration optimization
- Streamlined web security workflows
- An interactive visual summary (Command Center) that helps you to assess the health, security, and efficiency of the network
- Intuitive workflows for complex tasks
- Simple and secure management APIs
- Cloud-native architecture provides scalability, resilience, and global reach
- No hardware to manage or software to maintain
Prepare to Migrate to Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Strata Cloud Manager)
Before you start your migration, you should be aware
of the minimum software requirements and the types of
Prisma Access (Managed by Panorama)
deployments you can migrate. - One-Way Migration from Panorama to—You can only migrate from aPrisma Access (Managed by Strata Cloud Manager)Prisma Access (Managed by Panorama)to aPrisma Access (Managed by Strata Cloud Manager)deployment. After you migrate toStrata Cloud Manager, you cannot return to managing yourPrisma Accessdeployment using Panorama.
- Minimum Panorama Version—A minimum Panorama version of 10.0 is required.
- Required Administrator Role—You must be logged in as a superuser inStrata Cloud Managerto begin the migration.
- Cloud Identity Engine—You must have integrated the Cloud Identity Engine withPrisma Accessto facilitate the retrieval of user and group information.
- Unsupported Functionalities—The migration program does not support the followingPrisma Accessfunctionalities:
- Data Filtering (as an alternative, use Enterprise DLP)
- Separate authentication for GlobalProtect portals and gateways
- Config Diff Issues—When you run the config diff during the migration, ignore any diffs that show the following object names because they don't affect your configuration:
- Clientless-vpn crypto-settings
- Hip-profiles rename
- Mobile-user-redundancy
- Exclude-video-traffic
Migrate Your Prisma Access (Managed by Panorama) to Strata Cloud Manager
Prisma Access (Managed by Panorama)
to Strata Cloud Manager
To migrate your
Prisma Access (Managed by Panorama)
to a Prisma Access (Managed by Strata Cloud Manager)
deployment, complete the following steps.At a high level,
you:
- Make sure that you have successfully pushed the latest configuration toPrisma Access, have saved the latest configuration, and have exported an .xml configuration file from the Panorama that managesPrisma Access.
- Start the migration program fromStrata Cloud Manager.
- Check the configuration differences (diffs) between the Panorama configuration and the migratedStrata Cloud Managerconfiguration.
- Resolve the diffs and complete the migration.
- Prepare your Panorama for the migration.
- Log in to the Panorama that managesPrisma Accesswith an administrative account that is assigned the superuser role.
- (Optional) If you have configured a custom Master Key for your Panorama and forPrisma Access, make a note of it.If your deployment uses the default Master Key, this step isn't required.
- Make sure that your current Panorama configuration is up to date and you have committed and pushed all your changes to Panorama and toPrisma Accessby going to andPreview Changes.
- (Optional) Check the diffs between the running config and the candidate config and determine whether you want to push those changes. If you want to commit and push the changes,Edit Selectionsand select thePrisma Accesscomponents you want to push in thePush Scope.
![]()
![]()
- (Optional)Commit and Pushyour changes.
![]()
- Go to andExport named Panorama configuration snapshot.This .xml file is required to upload toStrata Cloud Managerduring the migration process.Don't upload a techsupport file or any other file except an .xml configuration file.
- Selectrunning-config.xmlconfiguration,Select Device Groups & Templates, and clickOK.
![]()
- Log in toStrata Cloud Manageras an administrator with a Superuser role and go to .The migration program detects that you have a Panorama managed deployment.
- Start Migration.
![]()
- The migration program asks you to make sure that your configuration is up to date and shows you the last user who updated it. After you have verified that this configuration has the latest changes, selectConfirmed they are up to dateand clickNext.
![]()
- Select the Panorama configuration .xml file you downloaded in an earlier step by dragging and dropping it orChoose File.
- Input yourMaster Key, or if you did not create a custom master key, askStrata Cloud Managerto use theDefaultone and clickNext.
![]()
The migration program begins.![]()
Wait for all the steps to complete. - If, during migration, the program indicates that it encountered an unsupported configuration, you canTrim the above configurations and proceedorCancel migration.
![]()
Some unsupported configurations (such as a multitenant configuration) cancel the migration and the migration program can't resolve the issue; in this case,Cancel Migration. - After migration completes, clickNext.
![]()
- If the migration program made changes, review them in the final confirmation screen.The migration program might make changes to your configuration to account for differences in the Panorama and theStrata Cloud Managerconfiguration or to fix unsupported functionality. If changes are required, the migration program shows those changes in a diff view with the new lines in green and the deleted lines in red.Ignore any diffs that show the following object names; they don't affect your configuration:
- Clientless-vpn crypto-settings
- Hip-profiles rename
- Mobile-user-redundancy
- Exclude-video-traffic
![]()
- (Optional) Make changes to the diffs.
- Navigate to the area inStrata Cloud Managerwhere you found the diffs and make changes to the configuration.For the example in the previous step, the migration program made a change to Backbone Routing (fromno-asymmetric-routingtoasymmetric-routing-only). To change this, go to and change theBackbone Routingconfiguration toDisable Asymmetric Routing for Service Connections.
![]()
- (Optional) To keep track of your changes,Acknowledgethem as you complete them.While not required, it can be useful to acknowledge each change as you make them, so you can keep track of them.
![]()
- Continue to review the changes and make changes and acknowledge them.
- (Optional) If you have made any changes to the configuration,Regenerate Diffsto see the updated diffs.
![]()
- Complete Migration.While not required, you can alsoAcknowledgeyour changes.
![]()
- Confirm your migration by clickingOK.You can choose to push your configuration now, or push your configuration after the migration completes.After youComplete Migration, you can't go back to a Panorama managed deployment and your deployment permanently usesStrata Cloud Managerfor its management.
![]()
A progress screen displays.![]()
After migration completes, a screen displays indicating that migration is complete. - (Optional)Go to Configuration Pageto see your migrated configuration.
![]()
Your migrated deployment displays.![]()
