Migrate to NGFW Clustering
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Migrate to NGFW Clustering
Migrate a non-PA-7500 Series firewall with a Panorama non-clustering template to a
PA-7500 Series firewall with a Panorama clustering template.
In preparation for configuring NGFW clustering on a PA-7500 Series firewall, this
task describes how to migrate from a non-PA-7500 Series firewall with an existing
Panorama non-clustering template (that has an Ethernet interface reference) to
PA-7500 Series firewall with a Panorama clustering template (that has a cluster
Ethernet interface reference). The migration process also converts a device group
that references an Ethernet interface to a device group that references a cluster
Ethernet interface.
This migration process is supported in PAN-OS 11.1.5 and later releases.
Perform the following prerequisites before you begin migration:
- In order to migrate a template to a clustering template, the local firewall configuration must be available as a template and device group in Panorama. If that isn't the case, migrate all firewall local configurations to Panorama by following the procedure in Migrate a Firewall to Panorama Management.
- NGFW clustering doesn't support multiple virtual systems. If your original
configuration has Multi Virtual System Capability
enabled, perform the following steps:
- Convert the multi-vsys configuration to a single virtual system and
remove the other virtual systems.If you have a local configuration in DeviceServer ProfileDNS, remove the configuration.
- Disable Multi Virtual System Capability in the template configuration.
- On the firewall, from DeviceSetupPanorama Settings, select Disable Panorama Policy and Objects and Disable Device and Network Template to remove the Panorama pushed configuration. (You don't need to commit.)
- In the Panorama Template Stack for the firewall, set Default VSYS to vsys1.
- In Panorama, push the device group to the firewall, and select include Device and Network Templates. (This will push both the device group and template to the firewall.)
- Convert the multi-vsys configuration to a single virtual system and
remove the other virtual systems.
After completing the prerequisites, you're ready to perform the migration using
Panorama. This task illustrates an example migration.
- Select PanoramaTemplates. Our example has two preexisting non-clustering templates:
- Node1-Regular-Template
- Node2-Regular-Template
Select the checkbox to the left of one of the templates and select Clone at the bottom of the screen.This adds a new template with -1 appended to the end of the template name. Clone both templates. The cloned templates are named:- Node1-Regular-Template-1
- Node2-Regular-Template-1
Add the non-clustering templates from the prior step to a device group under PanoramaDevice Groups.Select the cloned Node1-Regular-Template-1 and select Migrate at the bottom of the screen.Select Yes, which creates a backup of the cloned non-clustering template (which you can ignore).Enter the Node ID (1 or 2). For our example, enter 1.The cloned non-clustering template (Node1-Regular-Template-1) is overridden to become the migrated clustering template by the same name. You can give the template a new Name. Enable clustering is selected by default.Repeat Step 4 through Step 6 for the other non-clustering template (Node2-Regular-Template-1), using the other Node ID (Node ID 2) to override that non-clustering template and migrate it into a clustering template (Node2-Regular-Template-1). Again, you can give the template a new Name.Create a clustering template stack and associate the created templates from Steps 7 and 8 for common configuration.Any non-cluster templates that get migrated to cluster templates and have references in Device Group are also converted. You can keep clustering templates or change to clustering template stacks in the device group.Keep in mind:- Template stacks cannot be cloned.
- A template stack that has templates present in it cannot be migrated successfully.
Learn about NGFW Clustering and learn about inter-firewall links, MC-LAGs, node states, and more in NGFW Clusters.In Panorama, from PanoramaFirewall Cluster, create a cluster of cluster type: PA, and add the two PA-7500 Series firewalls. Refer to Configure an NGFW Cluster.Push the device group and cluster template to the PA-7500 nodes.- Review the device group and template configuration for interface references and unsupported features.In NetworkIKE Gateways, if IKEv1 is configured, change it to IKEv2. (An NGFW cluster doesn't support IKEv1.)In Panorama, push the cluster template to the PA-7500 Series nodes.In Panorama, push the device group to the PA-7500 Series firewall; select include Device and Network Templates. (This will push both the device group and template to the PA-7500 Series firewall.)