Migrate From Panorama to Strata Cloud Manager (NGFW)

Table of Contents

Migrate From Panorama to Strata Cloud Manager (NGFW)

Learn about the migration process for migrating your NGFW deployments from Panorama to Strata Cloud Manager.

You can migrate your existing NGFW configurations from Panorama to Strata Cloud Manager for cloud-based configuration management.

During the migration, Strata Cloud Manager:

Copies and translates supported security policies, network configurations, and objects.
Maintains existing network topology and NGFW deployments.
Highlights areas that are partially supported or unsupported.

Contact your Palo Alto Networks account team to enable migration workflow.

Managing your NGFWs using Strata Cloud Manager instead of Panorama can offer you benefits such as unified management for Prisma Access and NGFWs, cloud-native scalability of your network, and enhanced visibility.

Strata Cloud Manager guides you through migrating your configurations with these key steps:

Upload existing configurations — Import your current Panorama configurations.
Run compatibility assessment — Identify unsupported features or configurations that need attention.
Perform validation and prepare for deployment — Complete final checks before migration.
Migration control — Devices and device groups can be migrated in phases, allowing you to migrate non-critical devices or go site-by-site.

Review results at each step, make necessary adjustments, and verify that your configurations are fully compatible with Strata Cloud Manager before completing the migration.

Configuration Management Comparison for Panorama and Strata Cloud Manager

Panorama manages NGFW configurations using a dual-structure approach:

Device Groups — Organize firewalls into hierarchical groups for security policy management (security rules, NAT policies, application filters).
Templates and Template Stacks — Define network and device settings (interfaces, zones, routing, system settings).
Inheritance — Device Groups inherit policies from parent groups; Template Stacks layer multiple templates with override capabilities.

Strata Cloud Manager uses a unified, flexible approach:

Folders — Hierarchical containers that hold both security policies AND network configurations.
Snippets — Reusable configuration blocks that can be attached to folders at any level.
Containers — Device-specific configuration holders for unique firewall requirements .

During migration from Panorama to Strata Cloud Manager:

Panorama	Strata Cloud Manager
Device Groups	Folders
Templates & Template Stacks	Snippets
Shared DG	All Firewalls Folder
Shared Objects	Global folder as an attached Snippet
Policies in Device Groups	Policies under mapped Folder(s)
Objects (addresses, EDLs, etc.)	Objects under mapped Folder(s)

Key difference between Panorama and Strata Cloud Manager to keep in mind:

Strata Cloud Manager Folders contain both network and security configurations, while Panorama separates these between Templates and Device Groups
Strata Cloud Manager Folders provide more flexible inheritance with Snippet-based overrides versus the lower-level group overrides seen in Panorama
Strata Cloud Manager Snippets provide a more plug-and-play approach to configurations compared to Panorama's Templates and Template stacks that are inherited down the stack.

After migration, you manage configurations through the folder and snippet model. Snippet attachment order determines configuration precedence, providing granular control over how multiple configuration sources combine. You can also create device-specific containers for NGFWs requiring unique configurations outside the folder inheritance model.

Additional Resources

Learn more about Device Groups and Templates.

Learn more about Snippets and Folders

Prepare to Migrate Your NGFWs to Strata Cloud Manager

Before beginning the migration, ensure you have the following items ready:

Minimum Software Requirements: PAN-OS 10.2.3 or later
Export Panorama Configuration File: Export the complete running configuration from your source Panorama instance in XML format
Panorama Master Key: Obtain the master key used for encryption in your Panorama configuration (if not using the default key)
Strata Cloud Manager Tenant: Verify that your Strata Cloud Manager tenant is deployed, properly licensed, and operational
NGFW Configuration: Collect the last-pushed configuration files (Technical Support Files) from NGFWs you plan to validate post-migration
Network Topology: Review your current device group hierarchies, template relationships, and NGFW assignments
Configuration Backup: Create complete backups of your current Panorama and NGFW configurations as a safety measure
Administrative Access: Ensure you have access to the Superuser role in both Panorama and Strata Cloud Manager.
Migration Planning: Identify which device groups, templates, and NGFWs you want to migrate in your initial phase
Compatibility Matrix: Understand which features may not be supported in Strata Cloud Manager and plan for any necessary configuration adjustments

Migrate Your Panorama Managed NGFWs to Strata Cloud Manager

Migrate your NGFW configurations from Panorama to Strata Cloud Manager:

Prepare your Panorama for the migration.
1. Log in to the Panorama that manages your NGFWs with an administrative account that is assigned the Superuser role.
2. (Optional) If you have configured a custom Master Key for Panorama, make a note of it.
  If your deployment uses the default Master Key, this step isn't required.
3. Ensure that your current Panorama configuration is up to date and that you have committed and pushed all your current changes to Panorama by going to CommitCommit & Push and Preview Changes.
4. (Optional) Check the diffs between the running configuration and the candidate configuration and determine whether you want to push those changes. To commit and push the changes, Edit Selections and select the NGFWs you want to push in the Push Scope.
5. (Optional) Commit and Push your changes.
6. Go to PanoramaSetupOperations and Export the named Panorama configuration snapshot.
  The .xml file is required to upload to Strata Cloud Manager during the migration process. Don't upload a techsupport file or any other file except an .xml configuration file.
7. Select the running-config.xml configuration file and click OK.
Log in to Strata Cloud Manager as an administrator with a Superuser role and go to ConfigurationOnboarding.
The migration program detects that you have a Panorama managed deployment.
1. Confirm the tenant is correct.
2. (Optional) Create a Named Snapshot of your running configuration in the event that a rollback is necessary.
Migration should not be attempted during an Strata Cloud Manager upgrade window. Check your upgrade schedule to see if you have an upcoming upgrade.
Read the migration Overview.
1. Review the management building blocks of Strata Cloud Manager: Folders and Snippets.
2. Click Next: Upload Panorama Configuration.
Upload the Panorama configuration.
1. Select the Panorama configuration .xml file you downloaded in an earlier step by dragging and dropping it from your file explorer or selecting Choose File.
2. (Optional) Input your Master Key or, if you did not create a custom master key, use the Default one.
3. Click Next: Review Migration Compatibility.
Review the configuration compatibility.
1. (Optional) Export Compatibility Summary and review your organization’s configuration compatibility before continuing and allowing Strata Cloud Manager to trim any unsupported or partially supported configurations.
  The trimming of unsupported and partially supported features avoids migrating features that cannot be deployed safely or securely in Strata Cloud Manager.
  This process will only impact the staged configuration for Strata Cloud Manager. The configurations in Panorama will remain unaffected.
  For each flagged area, you should plan to rebuild, replace, or defer those configurations.
2. Review the Unsupported Features that will be trimmed from your configuration during the migration.
  
  These features will be trimmed from your configurations and will not be staged in Strata Cloud Manager during the configuration migration process.
3. Review the Partially Supported Features and determine a resolution path.
  
  Identify what exactly is going to be missing from the configuration.
  
  You can accept the partially supported features and build a remediation plan post-migration or return to your Panorama configuration and clean these areas up before starting the migration process again.
4. Acknowledge the unsupported and partially supported features.
5. Click Next: Select Device Groups to Migrate.
For those just looking to compare supported configurations, or if it is decided than more planning is needed, you can end the migration process here.
Select the Devices or Device Groups you would like to migrate.
If you are migrating NGFWs from Panorama for the first time, it is recommended to only migrate non-critical devices or device groups first to test how your configurations will be migrated to Strata Cloud Manager.

During the migration:
- Objects are imported to a Snippet and attached to the Global folder.
- Policies are imported under the Folder(s) migrated by the workflow.
- Shared Device Groups are automatically mapped to the All Firewalls Folder.
1. Click Next: Map Templates to Folders.
Map Templates to your newly configured Folders.

During the migration Templates are configured into equivalent Snippets.

If two or more Device Groups reuse the same template, elevate it to a higher folder. If only one site requires it, keep it at the site level.
1. Select a Device Group to reveal the Templates/Template Stacks used by that device group.
2. Edit the mapping to assign each Template/Template Stack to a Folder.
3. Elevate templates referenced in multiple places to higher folders.
  
  For example, if you have global template settings, mapping them to the All Firewalls folder establishes those settings as the source of truth for all NGFWs.
4. After assigning more than one Snippet to a Folder, adjust the order.
5. Move Up or Move Down to finalize the order.
6. Update the order.
7. Save the new order.
  Before moving on to the next step, ensure the following:
  No unassigned templates or template stacks remain.
  Any templates referenced by multiple device groups have been elevated to the proper folders.
8. Click Next: Prepare Migration.
  
  The migration process begins.
  
  Wait for all steps to be completed.
  
  If there are any issues with the migration, return to the previous steps to evaluate and make changes. If issues continue to persist, please contact Palo Alto Networks Support.
Prepare to migrate.
1. Load Configuration to Strata Cloud Manager to prepare to migrate.
  The migration worfklow:
  Translates Devices and Device Groups and Templates and Template Stacks to Folders and Snippets using the mappings and snippets order defined by you.
  Creates a Strata Cloud Manager snapshot to enable rollback of staged changes.
  Checks for conflicts in existing Strata Cloud Manager configurations (name collisions, missing references, 31-character limits, RBAC scope).
  Builds the staged configuration that will be in Strata Cloud Manager post-load.
2. Load Results and review what objects, policies, or snippets were created, updated, or skipped.
3. Review the Validation Results for any errors, warning, and informational messages post migration.
4. Click Next: Review Config Diffs.
  This commits the newly generated configuration to Strata Cloud Manager.
Review the configuration diffs.
1. In the left folder tree, expand to the Folder and select an NGFW serial number to be validated
2. Browse File and choose the TSF for the selected serial number.
  
  Uploading the TSF for the chosen NGFW will allow you to properly validating all the supported, partially supported, and unsupported configurations.
  
  Be sure to look for anything that has been created, modified, or deleted. Configurations being trimmed should not come as a surprise.
  
  Because of naming conventions in Strata Cloud Manager, some long names will be compressed when needed.
3. Review the configuration diff panes.
  Green Panes: Created or added. They are present in Strata Cloud Manager, but not on the original device.
  Red Panes: Deleted or trimmed. May not be supported in Strata Cloud Manager, but are on the device.
  Yellow Panes: Modified.
  
  The diff view may be extensive, limited to one NGFW at a time, and calculated from the last pushed XML from the TSF.
4. Verify the diffs for representative devices from each pattern or site type.
5. (Optional) Export the diff results.
6. (Optional)Regenerate Diffs if any corrections have been made.
7. Click Next: Confirm and Finish.
Confirm and finish your migrations of NGFWs to Strata Cloud Manager.
Now that your migration is complete, review the available documentation for Strata Cloud Manager.
1. Ensure the results from Steps 8 and 9 are accepted.
2. Confirm the migration.
  This officially marks the migration as complete.
3. (Optional) To revert the configuration to its pre-migration state at any point, select Revert. This initiates a rollback workflow, restoring Strata Cloud Manager to a Snapshot taken before the migration was loaded.
4. (Optional) To cancel the migration at any point, select Cancel Migration. This aborts the migration process and cleans up any temporary changes.