Migrate a Firewall to Panorama Management and Reuse Existing Configuration
Table of Contents
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
- Install the Device Certificate for a Dedicated Log Collector
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
- Configure Tracking of Administrator Activity
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Device Group Push to a Multi-VSYS Firewall
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Schedule a Configuration Push to Managed Firewalls
- Redistribute Data to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Configure a Managed Collector
- Configure Log Forwarding to Panorama
- Configure Syslog Forwarding to External Destinations
- Forward Logs to Strata Logging Service
- Verify Log Forwarding to Panorama
- Modify Log Forwarding and Buffering Defaults
- Configure Log Forwarding from Panorama to External Destinations
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
-
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- View Task Success or Failure Status
- Generate a Stats Dump File for a Managed Firewall
- Recover Managed Device Connectivity to Panorama
- Restore an Expired Device Certificate
Migrate a Firewall to Panorama Management and Reuse Existing Configuration
Migrate a firewall to Panorama™ management and import the firewall configuration to
reuse the existing configuration.
Migrate a firewall to Panorama management and import the existing firewall
configuration to Panorama to reuse it. When you import a firewall configuration,
Panorama automatically creates a template to contain the imported network and device
settings. To contain the imported policies and objects, Panorama automatically
creates one device group for each firewall or one device group for each virtual
system (vsys) in a multi-vsys firewall.
When you perform the following steps, Panorama imports the entire firewall
configuration. Alternatively, you can Load a Partial
Firewall Configuration into Panorama.
To migrate a firewall to Panorama management and create a new configuration, see
Migrate a Firewall to Panorama Management and Push a New Configuration. To migrate a firewall HA pair to
Panorama management, see Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration.
Panorama can import configurations from firewalls that run PAN-OS 5.0 or later
releases and can push configurations to those firewalls. The exception is that
Panorama 6.1 and later releases cannot push configurations to firewalls running
PAN-OS 6.0.0 through 6.0.3.
Panorama can import configurations from firewalls that are already managed
devices but only if they are not already assigned to device groups or
templates.
- Plan the migration.See the checklist in Plan the Transition to Panorama Management.Add the firewall as a managed device.See Add a Firewall as a Managed Device for more information on adding a firewall to Panorama management.
- Log in to the Panorama Web InterfaceSelect PanoramaDevice Registration Auth Key and Add a new authentication key.Copy Auth Key after you successfully create the device registration authentication key.Select PanoramaManaged DevicesSummary to Add a firewall as a managed device.Enter the serial number of the firewall and click OK.If you will import multiple firewall configurations, enter the serial number of each one on a separate line. Optionally, you can copy and paste the serial numbers from a Microsoft Excel worksheet.Select CommitCommit to Panorama and Commit your changes.Set up a connection from the firewall to Panorama.
- Log in to the firewall web interface.Select DeviceSetupManagement and edit the Panorama Settings.In the Panorama Servers fields, enter the IP addresses of the Panorama management server.Paste the Auth Key you copied in the previous step.Click OK and Commit.Import the firewall configuration into Panorama.If you later decide to re-import a firewall configuration, first remove the firewall device groups and template to which it is a member. If the device group and template names are the same as the firewall hostname, then you can delete the device group and template before re-importing the firewall configuration or use the Device Group Name Prefix fields to define new names for the device group and template created by the re-import. Additionally, firewalls don’t lose logs when you remove them from device groups or templates.
- From Panorama, select PanoramaSetupOperations, click Import device configuration to Panorama, and select the Device.Panorama can’t import a configuration from a firewall that is assigned to an existing device group or template.(Optional) Edit the Template Name. The default value is the firewall name. You can’t use the name of an existing template or template stack.(Optional) Edit the Device Group names. For a multi-vsys firewall, each device group has a vsys name by default, so add a character string as a Device Group Name Prefix for each. Otherwise, the default value is the firewall name. You can’t use the names of existing device groups.The Import devices' shared objects into Panorama's shared context check box is selected by default, which means Panorama compares imports objects that belong to the Shared location in the firewall to Shared in Panorama. If an imported object is not in the Shared context of the firewall, it is applied to each device group being imported. If you clear the check box, Panorama copies will not compare imported objects, and apply all shared firewall objects into device groups being imported instead of Shared. This could create duplicate objects, so selecting the check box is a best practice in most cases. To understand the consequences of importing shared or duplicate objects into Panorama, see Plan how to manage shared settings.Select a Rule Import Location for the imported policy rules: Pre Rulebase or Post Rulebase. Regardless of your selection, Panorama imports default security rules (intrazone-default and interzone-default) into the post-rulebase.If Panorama has a rule with the same name as a firewall rule that you import, Panorama displays both rules. Delete one of the rules before performing a Panorama commit to prevent a commit error.Click OK. Panorama displays the import status, result, details about your selections, details about what was imported, and any warnings. Click Close.Select CommitCommit to Panorama and Commit your changes.Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration.This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.Pushing the imported firewall configuration from Panorama to remove local firewall configuration updates Policy rule Creation and Modified dates to reflect the date you pushed to your newly managed firewalls when you monitor policy rule usage for a managed firewall. Additionally, a new universially unique identifier (UUID) for each policy rule is created.This step is required to successfully migrate firewall management to the Panorama management server. Failure to perform this step successfully causes configuration errors and commit failures.
- Log in to the Panorama Web Interface.Select PanoramaSetupOperations and Export or push device config bundle.Select the Device from which you imported the configuration and click OK.If a master key is configured, Use Master Key and enter the master key before you click OK.Select Push & Commit. Panorama pushes the bundle and initiates a commit on the firewall.Click Close after the push has committed successfully.Launch the Web Interface of the firewall and ensure that the configuration has been successfully committed. If not, Commit the changes locally on the firewall.Select CommitCommit to Panorama and Commit your changes.Push the device group and template configurations to complete the transition to centralized management.This step overwrites any local Network and Device settings configured on the firewall.If you are migrating multiple firewalls, perform all the preceding steps—including this one—for each firewall before continuing.
- Select CommitCommit and Push and Edit Selections in the Push Scope.Select Device Groups and select the device groups that contain the imported firewall configurations.Select Merge with Device Candidate Config, Include Device and Network Templates, and Force Template Values.Click OK to save your changes to the Push Scope.Commit and Push your changes.On the Panorama web interface, select PanoramaManaged DevicesSummary and verify that the device group and template stack are in sync for the firewall. On the firewall web interface, verify that configuration objects display a green cog, signifying that the configuration object is pushed from Panorama.Fine-tune the imported configuration.
- In Panorama, select PanoramaConfig Audit, select the Running config and Candidate config for the comparison, click Go, and review the output.Update the device group and template configurations as needed based on the configuration audit and any warnings that Panorama displayed after the import. For example:
- Delete redundant objects and policy rules.
- Move firewalls to different device groups or templates.
- Move a device group that Panorama created during the import to a different parent device group: Select PanoramaDevice Groups, select the device group you want to move, select a new Parent Device Group, and click OK.
Consolidate all the imported firewall configurations.This step is required if you are migrating multiple firewalls.- After importing all the firewall configurations, update the device groups and templates as needed to eliminate redundancy and streamline configuration management: see Fine-tune the imported configuration. (You don’t need to push firewall configuration bundles again.)Configure any firewall-specific settings.If the firewalls will have local zones, you must create them before performing a device group or template commit; Panorama can’t poll the firewalls for zone name or zone configuration. If you will use local firewall rules, ensure their names are unique (not duplicated in Panorama). If necessary, you can Override a Template or Template Stack Value with a firewall-specific value.Commit and push your changes:
- Select CommitCommit and Push and Edit Selections in the Push Scope.
- Select Device Groups, select the device groups you changed, and Include Device and Network Templates.
- Click OK to save your changes to the Push Scope.
- Commit and Push your changes.
Perform your post-migration test plan.Perform the verification tasks that you devised during the migration planning to confirm that the firewalls work as efficiently with the Panorama-pushed configuration as they did with their original local configuration: see Create a post-migration test plan.