Focus

Next-Generation Firewall

Migrate to NGFW Clustering

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

NGFW Clusters

Configure an NGFW Cluster

Migrate to NGFW Clustering

Migrate a non-PA-7500 Series firewall with a Panorama non-clustering template to a PA-7500 Series firewall with a Panorama clustering template.

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)	Panorama PAN-OS 11.1.5 and Panorama Clustering Plugin 2.0.0

In preparation for configuring NGFW clustering on a PA-7500 Series firewall, this task describes how to migrate from a non-PA-7500 Series firewall with an existing Panorama non-clustering template (that has an Ethernet interface reference) to PA-7500 Series firewall with a Panorama clustering template (that has a cluster Ethernet interface reference). The migration process also converts a device group that references an Ethernet interface to a device group that references a cluster Ethernet interface.

This migration process is supported in PAN-OS 11.1.5 and later releases.

The system does not support the migration of multi-vsys regular templates to multi-vsys cluster templates.

Perform the following prerequisites before you begin migration:

In order to migrate a template to a clustering template, the local firewall configuration must be available as a template and device group in Panorama. If that isn't the case, migrate all firewall local configurations to Panorama by following the procedure in Migrate a Firewall to Panorama Management.
NGFW clustering doesn't support multiple virtual systems. If your original configuration has Multi Virtual System Capability enabled, perform the following steps:
1. Convert the multi-vsys configuration to a single virtual system and remove the other virtual systems.
  
  If you have a local configuration in DeviceServer ProfileDNS, remove the configuration.
2. Disable Multi Virtual System Capability in the template configuration.
3. On the firewall, from DeviceSetupPanorama Settings, select Disable Panorama Policy and Objects and Disable Device and Network Template to remove the Panorama pushed configuration. (You don't need to commit.)
4. In the Panorama Template Stack for the firewall, set Default VSYS to vsys1.
5. In Panorama, push the device group to the firewall, and select include Device and Network Templates. (This will push both the device group and template to the firewall.)

After completing the prerequisites, you're ready to perform the migration using Panorama. This task illustrates an example migration.

Select PanoramaTemplates. Our example has two preexisting non-clustering templates:
- Node1-Regular-Template
- Node2-Regular-Template
Select the checkbox to the left of one of the templates and select Clone at the bottom of the screen.

This adds a new template with -1 appended to the end of the template name. Clone both templates. The cloned templates are named:
- Node1-Regular-Template-1
- Node2-Regular-Template-1
Add the non-clustering templates from the prior step to a device group under PanoramaDevice Groups.
Select the cloned Node1-Regular-Template-1 and select Migrate at the bottom of the screen.
Select Yes, which creates a backup of the cloned non-clustering template (which you can ignore).
Enter the Node ID (1 or 2). For our example, enter 1.
The cloned non-clustering template (Node1-Regular-Template-1) is overridden to become the migrated clustering template by the same name. You can give the template a new Name. Enable clustering is selected by default.
Repeat Step 4 through Step 6 for the other non-clustering template (Node2-Regular-Template-1), using the other Node ID (Node ID 2) to override that non-clustering template and migrate it into a clustering template (Node2-Regular-Template-1). Again, you can give the template a new Name.
Create a clustering template stack and associate the created templates from Steps 7 and 8 for common configuration.
Any non-cluster templates that get migrated to cluster templates and have references in Device Group are also converted. You can keep clustering templates or change to clustering template stacks in the device group.
Keep in mind:
Template stacks cannot be cloned.
A template stack that has templates present in it cannot be migrated successfully.
Learn about NGFW Clustering and learn about inter-firewall links, MC-LAGs, node states, and more in NGFW Clusters.
In Panorama, from PanoramaFirewall Cluster, create a cluster of cluster type: PA, and add the two PA-7500 Series firewalls. Refer to Configure an NGFW Cluster.
Push the device group and cluster template to the PA-7500 nodes.
1. Review the device group and template configuration for interface references and unsupported features.
2. In NetworkIKE Gateways, if IKEv1 is configured, change it to IKEv2. (An NGFW cluster doesn't support IKEv1.)
3. In Panorama, push the cluster template to the PA-7500 Series nodes.
4. In Panorama, push the device group to the PA-7500 Series firewall; select include Device and Network Templates. (This will push both the device group and template to the PA-7500 Series firewall.)

NGFW Clusters

Configure an NGFW Cluster

Next-Generation Firewall Docs

Migrate to NGFW Clustering

Next-Generation Firewall Docs

Migrate to NGFW Clustering

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner