Panorama Administrator's Guide
    : Migrate from an M-Series Appliance to a Panorama Virtual Appliance
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Set Up Panorama
    5. Transition to a Different Panorama Model
    6. Migrate from an M-Series Appliance to a Panorama Virtual Appliance
    Download PDF

    Panorama Administrator's Guide

    Migrate from an M-Series Appliance to a Panorama Virtual Appliance

    Table of Contents

    Migrate from an M-Series Appliance to a Panorama Virtual Appliance

    Procedure to migrate from an M-Series appliance to a Panorama virtual appliance on Panorama 10.0.
    You can migrate the Panorama configuration from an M-100, M-200, M-500, M-600 appliance to a Panorama virtual appliance in Panorama mode. However, you cannot migrate the logs because the log format on the M-Series appliances is incompatible with that on the Panorama virtual appliances. Therefore, if you want to maintain access to the old logs stored on the M-Series appliance, you must continue running the M-Series appliance as a Dedicated Log Collector after the migration and add it to the Panorama virtual appliance as a managed collector.
    If your Panorama management server is part of a high availability configuration, you must deploy a second Panorama virtual appliance of the same hypervisor or cloud environment, and purchase the required device management and support licenses. See Panorama HA Prerequisites for a full list of HA requirements.
    Policy rule usage data is not preserved when you transition to a different Panorama model. This means that all existing policy rule usage data from the old Panorama is no longer displayed after a successful migration to a new Panorama model. After a successful migration, Panorama begins tracking policy rule usage data based on the date the migration was completed. For example, the Created date displays the date the migration was completed.
    1. Plan the migration.
      • Upgrade the M-Series appliance to PAN-OS 10.1 or later release before the migrating to the Panorama virtual appliance. To upgrade Panorama, see Install Content and Software Updates for Panorama. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
      • Schedule a maintenance window for the migration. Although firewalls can buffer logs after the M-Series appliance goes offline and then forward the logs after the Panorama virtual appliance comes online, completing the migration during a maintenance window minimizes the risk that logs will exceed the buffer capacities during the transition to a different Panorama model.
    2. Purchase management and support licenses for the new Panorama virtual appliance.
      1. Contact your sales representative to purchase the new device management and support licenses.
      2. Provide your sales representative the serial number of the M-Series appliance you to plan phase out, the serial number and support auth code you received when you purchased the new Panorama virtual appliance, and the date when you expect your migration from the old device to the new virtual appliance to be completed. Before the migration date, register the serial number and activate support auth code on the new virtual appliance so that you can begin your migration. The capacity auth code on the old M-Series appliance is automatically removed on the expected migration completion date you provided.
    3. Perform the initial setup of the Panorama virtual appliance.
      1. Set Up the Panorama Virtual Appliance.
      2. Perform Initial Configuration of the Panorama Virtual Appliance to define the network connections required to activate licenses and install updates.
      3. Register Panorama.
      4. Activate a Panorama Support License.
      5. Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
      6. Install Content and Software Updates for Panorama. Install the same versions as those on the M-Series appliance.
    4. Edit the M-Series appliance Panorama interface configuration to only use the management interface.
      The Panorama virtual appliance supports only the management interface for device management and log collection.
      1. Log in to the Panorama Web Interface of the M-Series appliance.
      2. Select PanoramaSetupManagement.
      3. Edit the General Settings, modify the Hostname, and click OK.
      4. Select Interfaces and edit the Management interface to enable the required services.
      5. Disable services for the remaining interfaces.
      6. Select CommitCommit to Panorama.
    5. Add the IP address of the new Panorama virtual appliance.
      On the M-Series appliance, add the Public IP address of the Panorama virtual appliance as the second Panorama Server to manage devices from the new Panorama management server. If the Panorama virtual appliance is deployed on Alibaba Cloud, AWS, Azure, GCP, or OCI, use the public IP address.
      1. Select DeviceSetup.
      2. In the Template context drop-down, select the template or template stack containing the Panorama server configuration.
      3. Edit the Panorama Settings.
      4. Enter the Panorama virtual appliance public IP address and click OK.
      5. Select CommitCommit and Push.
    6. Export the configuration from the M-Series appliance.
      1. Select PanoramaSetupOperations.
      2. Click Save named Panorama configuration snapshot, enter a Name to identify the configuration, and click OK.
      3. Click Export named Panorama configuration snapshot, select the Name of the configuration you just saved, and click OK. Panorama exports the configuration to your client system as an XML file. Save the configuration to a location external to the Panorama appliance.
    7. Power off the M-Series appliance or assign a new IP address to the management (MGT) interface.
      If the M-Series appliance is in Panorama mode and has logs stored on the local Log Collector that you need access on the new Panorama virtual appliance, you must change the IP address on the M-Series appliance in order to add it to the Panorama virtual appliance as a managed Log Collector.
      • To Power off the M-Series appliance:
      1. Log in to the Panorama web interface.
      2. Select PanoramaSetupOperations, and under Device Operations, Shutdown Panorama. Click Yes to confirm the shutdown.
      • To change the IP address on the M-Series appliance:
      1. Log in to the Panorama web interface.
      2. Select PanoramaSetupManagement, and edit the Management Interface Settings.
      3. Enter the new IP Address and click OK.
      4. Select CommitCommit to Panorama and Commit your changes.
    8. Load the Panorama configuration snapshot that you exported from the M-Series appliance into the Panorama virtual appliance.
      The Panorama Policy rule Creation and Modified dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universially unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
      The Creation and Modified for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
      1. Log in to the Panorama web interface of the Panorama virtual appliance, and select PanoramaSetupOperations.
      2. Click Import named Panorama configuration snapshot, Browse to the Panorama configuration file you exported from the M-Series appliance, and click OK.
      3. Click Load named Panorama configuration snapshot, select the Name of the configuration you just imported, select a Decryption Key (the master key for Panorama), and click OK. Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file.
      If errors occurred, save them to a local file. Resolve each error to ensure the migrated configuration is valid. The configuration has been loaded once the commit is successful.
    9. Change the M-Series appliance to Log Collector mode to preserve existing log data.
      Logging data is erased if you change to Log Collector mode while the logging disks are still inserted in the M-Series appliance. Logging disks must be removed before changing mode to avoid log data loss.
      Generating the metadata for each disk pair rebuilds the indexes. Therefore, depending on the data size, this process can take a long time to complete. To expedite the process, you can launch multiple CLI sessions and run the metadata regeneration command in each session to complete the process simultaneously for every pair. For details, see Regenerate Metadata for M-Series Appliance RAID Pairs.
      1. Remove the RAID disks from the old M-Series appliance.
        1. Power off the M-Series appliance by pressing the Power button until the system shuts down.
        2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-Series Appliance Hardware Reference Guides.
      2. Power on the M-Series appliance by pressing the Power button.
      3. Configure an admin superuser administrator account.
        If an admin administrator account already is already created, continue to the next step.
        An admin account with superuser privileges must be created before you switch to Log Collector mode or you lose access to the M-Series appliance after switching modes.
      4. Log in to the Panorama CLI on the old M-Series appliance.
      5. Switch from Panorama mode to Log Collector mode.
        • Switch to Log Collector mode by entering the following command:
          > request system system-mode logger
        • Enter Y to confirm the mode change. The M-Series appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M-Series appliance to see the Panorama login prompt.
          If you see a CMS Login prompt, this means the Log Collector has not finished rebooting. Press Enter at the prompt without typing a username or password.
        • Log back in to the CLI.
        • Verify that the switch to Log Collector mode succeeded:
          > show system info | match system-mode
          If the mode change succeeded, the output displays:
          > system-mode: logger
      6. Insert the disks back into the old M-Series appliance. For details, refer to the disk replacement procedure in the M-Series Appliance Hardware Reference Guides.
        You must maintain the disk pair association. Although you can place a disk pair from slot A1/A2 on the into slot B1/B2, you must keep the disks together in the same slot; otherwise, Panorama might not restore the data successfully.
      7. Enable the disk pairs by running the following CLI command for each pair:
        > request system raid add <slot> force no-format
        For example:
        > request system raid add A1 force no-format 
> request system raid add A2 force no-format
        The force and no-format arguments are required. The force argument associates the disk pair with the new appliance. The no-format argument prevents reformatting of the drives and retains the logs stored on the disks.
      8. Generate the metadata for each disk pair.
        > request metadata-regenerate slot <slot_number>
        For example:
        > request metadata-regenerate slot 1
      9. Enable connectivity between the Log Collector and Panorama management server.
        Enter the following commands at the Log Collector CLI, where <IPaddress1> is for the MGT interface of the solitary (non-HA) or active (HA) Panorama and <IPaddress2> is for the MGT interface of the passive (HA) Panorama, if applicable.
        > configure  
# set deviceconfig system panorama-server <IPaddress1> panorama-server-2 <IPaddress2>  
# commit  
# exit
    10. Recover Managed Device Connectivity to Panorama for managed firewalls and Dedicated Log Collectors added using the device registration authentication key.
      This is required when transitioning from one Panorama model to another.
    11. Synchronize the Panorama virtual appliance with the firewalls to resume firewall management.
      Complete this step during a maintenance window to minimize network disruption.
      1. On the Panorama virtual appliance, select PanoramaManaged Devices and verify that the Device State column displays the firewalls as Connected.
        At this point, the Shared Policy (device groups) and Template columns display Out of sync for the firewalls.
      2. Push your changes to device groups and templates:
        1. Select CommitPush to Devices and Edit Selections.
        2. Select Device Groups, select every device group, and Include Device and Network Templates.
        3. Select Collector Groups, select every collector group, and click OK.
        4. Push your changes.
      3. In the PanoramaManaged Devices page, verify that the Shared Policy and Template columns display In sync for the firewalls.
    12. (HA only) Set up the Panorama HA peer.
      If the Panorama management servers are in a high availability configuration, perform the steps below on the HA peer.
      1. Perform the initial setup of the Panorama virtual appliance.
      2. Edit the M-Series appliance Panorama interface configuration to only use the management interface.
      3. Add the IP address of the new Panorama virtual appliance.
      4. Power off the M-Series appliance or assign a new IP address to the management (MGT) interface.
      5. Change the M-Series appliance to Log Collector mode to preserve existing log data.
    13. (HA only) Modify the Panorama virtual appliance HA peer configuration.
      1. On an HA peer, Log in to the Panorama Web Interface, select PanoramaHigh Availability and edit the Setup.
      2. In the Peer HA IP Address field, enter the new IP address of the HA peer and click OK.
      3. Select CommitCommit to Panorama and Commit your change
      4. Repeat these steps on the other peer in the HA peer.
    14. (HA only) Synchronize the Panorama peers.
      1. Access the Dashboard on one of the HA peers and select WidgetsSystemHigh Availability to display the HA widget.
      2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.
      3. Access the Dashboard on the remaining HA peer and select WidgetsSystemHigh Availability to display the HA widget.
      4. Verify that the Running Config displays Synchronized.

    © 2024 Palo Alto Networks, Inc. All rights reserved.