Focus

Panorama Administrator's Guide

Migrate from an M-500 Appliance to an M-700 Appliance

Table of Contents

Migrate from an M-500 Appliance to an M-700 Appliance

Migrate the Panorama™ management server configuration from an M-500 appliance to an M-600 appliance.

You can migrate the Panorama configurations, managed firewalls, and log collectors from an M-500 appliance to an M-700 appliance. You can migrate Panorama configurations between the appliances when both the appliances are running the same PAN-OS version. However, the M-500 appliance supports up to PAN-OS version 10.1, while the M-700 appliance requires at least PAN-OS version 10.2.

To migrate the Panorama configurations across appliances with different PAN-OS versions, you must use an intermediate virtual appliance that supports both versions, and perform the migration in the following two phases:

First, migrate the configurations from the M-500 appliance to the intermediate Panorama virtual appliance. For more information about migrating an M-Series appliance to a Panorama virtual appliance see, Migrate from an M-Series Appliance to a Panorama Virtual Appliance.
Next, upgrade the intermediate Panorama virtual appliance to a preferred PAN-OS version, and migrate the configurations from the intermediate Panorama virtual appliance to the M-700 appliance running the same preferred PAN-OS version. For more information about migrating a Panorama virtual appliance to an M-Series appliance, see Migrate from a Panorama Virtual Appliance to an M-Series Appliance.

Ensure that all the Log Collectors in the Collector Group are the same Panorama model. For example, if you want to add the local Log Collector on the new M-700 appliance to a Collector Group, the target Collector Group must contain only M-700 appliances. The same is true for the local Log Collector for an M-700 appliance.

This procedure assumes you are no longer using the M-500 appliance for device management or log collection. If you intend to continue using the M-500 appliance as a log collector, you must get a device management license for the M-500 appliance. Without a device management license, you cannot use the M-500 appliance as a log collector.

If you do not plan to use the M-500 appliance as a log collector, but the M-500 appliance contains log data that you must access at a later date, use the Panorama web interface to query and generate reports using the existing log data. Palo Alto Networks recommends reviewing the log retention policy before decommissioning the M-500 appliance.

Policy rule usage data is not preserved when you migrate to a different Panorama model. This indicates that all the existing policy rule usage data from the old Panorama model is no longer displayed after you migrate to a new Panorama model. After a successful migration, Panorama begins tracking policy rule usage data based on the date the migration was completed. For example, the Created date displays the date the migration was completed.

Plan the migration.
- Ensure that both the M-500 appliance and the intermediate Panorama virtual appliance are running the same PAN-OS version. Upgrade the M-700 appliance to a recommended supported PAN-OS version.
  In the second phase of the migration, before migrating the configurations from the Panorama Virtual appliance to the M-700 appliance, you must upgrade the Panorama virtual appliance to the same PAN-OS version that is running on the M-700 appliance. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
- Ensure that the M-500 appliance, the intermediate Panorama virtual appliance, and the M-700 appliance are on the same system mode.
- Schedule a maintenance window for the migration. Firewalls can buffer logs after the M-500 appliance goes offline and then forward the logs after the M-700 appliance comes online. However, completing the migration during a maintenance window ensures that the logs do not exceed the buffer capacities and are not lost during the transition between the Panorama models.
- Capture and export a fresh set of running configurations from your old Panorama.
- If the new Panorama keeps the same IP address, you must migrate the migrate the SC3 security certificates to ensure that the managed firewalls onboarded using an auth key automatically reconnect (without requiring re-onboarding).
  
  Your old Panorama must be running PAN-OS 11.1.8 or a later 11.1 release, or PAN-OS 11.2.5 or a later release, to use the SC3 certificate migration feature.
- (Prisma Access) Plan to transfer your Prisma Access licenses to the new target appliance.
- (SD-WAN) Plan export the MongoDB database, in addition to your standard configuration snapshot, to the new Panorama.
Purchase the new M-700 appliance, and migrate your subscriptions to the new appliance.
1. Purchase the new M-700 appliance.
2. Purchase the new support license and migration license.
3. When purchasing the new M-700 appliance, provide your sales representative with the serial number and device management auth-code of the M-500 appliance that you are phasing out, and the date when you expect your migration. After you receive the M-700 appliance, register it and activate the device management and support licenses by using the migration and support auth-codes from Palo Alto Networks. On the migration date, the device management license on the M-500 will be decommissioned, preventing you from managing devices or collecting logs using the M-500 appliance. However, the support license is preserved and the Panorama appliance remains under support. You can complete the migration after the effective date, but you will not be able to commit any configuration changes on the decommissioned M-500 appliance. Palo Alto Networks allows up to a 90 day migration grace period when migrating between M-Series appliances. Contact your Palo Alto Networks sales representative for more information about your migration.
Obtain and apply an evaluation or temporary license on the intermediate Panorama virtual appliance.
1. Log in to the Palo Alto Networks Customer Support Portal.
2. Select AssetsDevicesRegister New Device.
3. In the Device Type window, select Register device using Serial Number or Authorization Code, and click Next.
4. To activate the Panorama software, enter the serial number you received in the Request for Software Evaluation Approved email.
5. If you plan to use the Panorama software offline, select Device will be used Offline, and enter the required information.
6. Review the EULA and Support Agreement.
7. If you agree, click Agree and Submit.
8. After successful registration, the Assets screen displays the newly registered and activated Eval Panorama.
Perform the initial setup of the intermediate Panorama virtual appliance.
1. Set Up the Panorama Virtual Appliance.
2. Perform Initial Configuration of the Panorama Virtual Appliance to define the network connections required to activate licenses and install updates.
3. Register Panorama.
4. Activate a Panorama Support License.
5. Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
6. (Optional) For Panorama-managed Prisma Access, ensure that you transfer the licenses to the new panorama appliance.
7. Install Content and Software Updates for Panorama. Install the same versions as those on the M-Series appliance.
  
  This step is required before loading configuration from the old Panorama virtual appliance. Ensure that all required content updates are installed to avoid security outages.
8. (PAN-OS 11.2.x and earlier releases) Select PanoramaPlugins and install all plugins that were installed on the old Panorama virtual appliance.
Edit the M-500 interface configuration to use only the management interface.

The Panorama virtual appliance supports only the management interface for device management and log collection.
1. Log in to the Panorama web interface of the M-Series appliance.
2. Select PanoramaSetupManagement.
3. Edit the General Settings, modify the Hostname, and click OK.
4. Select PanoramaSetupInterfacesManagement interface, and enable the required services.
5. Disable the services for the other interfaces.
6. Select CommitCommit to Panorama.
Add the IP address of the new Panorama.

On the old M-Series appliance, add the Public IP address of the Panorama virtual appliance as the second Panorama Server to manage devices from the new Panorama management server.
1. Select DeviceSetup.
2. In the Template context drop-down, select the template or template stack containing the Panorama server configuration.
3. Edit the Panorama Settings.
4. Enter the Panorama virtual appliance public IP address and click OK.
5. Select CommitCommit and Push.
Export the Panorama configuration from the M-500 appliance.
1. Log in to the Panorama web interface.
2. Select PanoramaSetupOperations.
3. Click Save named Panorama configuration snapshot, enter a Name to identify the configuration, and click OK.
4. Click Export named Panorama configuration snapshot, select the Name of the configuration you just saved, and click OK.
  Panorama exports the configuration to your client system as an XML file.
5. (SD-WAN Only) Export the mongodump to your external SCP server by entering the following command: mongodump --db pl_sd_wan -o /opt/panlogs/ld1/mdbdump
Load the Panorama configuration snapshot that you exported from the M-500 appliance into the Panorama virtual appliance.

The Panorama Policy rule Creation and Modified dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universally unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
The Creation and Modified for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
1. Log in to the Panorama web interface of the Panorama virtual appliance.
2. Select PanoramaSetupOperations.
3. Click Import named Panorama configuration snapshot.
4. Browse for the configuration file you exported from the M-500 appliance, and click OK.
5. Click Load named Panorama configuration snapshot, and select the Name of the configuration you just imported.
6. (SD-WAN only) Import the mongodump, which you previously exported, from the SCP server and restore it to the new Panorama by using the following command. mongorestore --db pl_sd_wan pl_sd_wan
7. Select a Decryption Key (the master key for Panorama) and click OK.
8. Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file. If errors occur, save the errors to a local file. Resolve each error to ensure the migrated configuration is valid.
Log in to the Panorama web interface of the M-700 appliance, select PanoramaSetupInterfaces, and verify that the IP address on the management interface is different from the IP address of the M-500 appliance.
This is to ensure that the connectivity to the Panorama virtual appliance is not disrupted post commit.
Select CommitCommit to PanoramaValidate Commit to review and resolve any configuration issues. Commit the Panorama configuration.
Upgrade the intermediate Panorama virtual appliance to the same version installed on the M-700 appliance.
Perform the initial setup of the new M-700 appliance,
1. Set Up the M-series appliance.
2. Perform Initial Configuration of the M-series appliance.
3. Register Panorama.
4. Activate a Panorama Support License.
5. (Optional) For Panorama-managed Prisma Access, ensure that you transfer the licenses to the new panorama appliance.
6. Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
7. Install Content and Software Updates for Panorama. Install the same versions as those on the M-Series appliance.
  
  This step is required before loading configuration from the old Panorama virtual appliance. Ensure that all required content updates are installed to avoid security outages.
8. (PAN-OS 11.2.x and earlier releases) Select PanoramaPlugins and install all plugins that were installed on the old Panorama virtual appliance.
Export the Panorama configuration from the Panorama virtual appliance.
1. Log in to the Panorama web interface of the Panorama virtual appliance.
2. Select PanoramaSetupOperations.
3. Click Save named Panorama configuration snapshot, enter a Name to identify the configuration, and click OK.
4. Click Export named Panorama configuration snapshot, select the Name of the configuration you just saved, and click OK.
  Panorama exports the configuration to your client system as an XML file.
5. (SD-WAN Only) Export the mongodump to your external SCP server by entering the following command: mongodump --db pl_sd_wan -o /opt/panlogs/ld1/mdbdump
Load the Panorama configuration snapshot that you exported from the Panorama virtual appliance to the M-700 appliance.

The Panorama Policy rule Creation and Modified dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universally unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
The Creation and Modified for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
1. Log in to the Panorama web interface of the Panorama virtual appliance.
2. Select PanoramaSetupOperations.
3. Click Import named Panorama configuration snapshot.
4. Browse for the configuration file you exported from the Panorama virtual appliance, and click OK.
5. Click Load named Panorama configuration snapshot, and select the Name of the configuration you just imported.
6. Select a Decryption Key (the master key for Panorama) and click OK.
7. (SD-WAN only) Import the mongodump, which you previously exported, from the SCP server and restore it to the new Panorama by using the following command. mongorestore --db pl_sd_wan pl_sd_wan
8. Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file. If errors occur, save the errors to a local file. Resolve each error to ensure the migrated configuration is valid.
Review the network configuration on the M-700 appliance.
1. (Optional) Log in to the Panorama web interface of the M-500 appliance, select PanoramaSetupOperations, and click Shutdown Panorama.
  Shut down the M-500 appliance if you plan to have the same IP address on both the M-500 and M-700 appliances.
2. Log in to the Panorama web interface of the M-700 appliance, select PanoramaSetupInterfaces, and verify the network configuration on the Management interface to ensure that the connectivity to the M-700 appliance is not disrupted post commit.
3. Ensure that all the interface configurations are set up based on your requirements for the M-700 appliance.
Select CommitCommit to PanoramaValidate Commit to review and resolve any configuration issues. Commit the Panorama configuration.
Generate a new device registration authentication key for managed device connectivity.
1. In the Panorama web interface of the M-700 appliance, select PanoramaDevice Registration Auth Key and Add a new authentication key.
2. Configure the authentication key.
  Name—Enter a descriptive name for the authentication key.
  Lifetime—Enter the key lifetime to specify the duration of the validity of the authentication key.
  Count—Enter the number of devices that will use the authentication key for connecting to Panorama.
  Device Type—Specify whether the authentication key may be used for Firewalls, Log Collectors, or Any device.
3. Click OK.
4. Copy Auth Key and Close.
If the connectivity to the Panorama and the managed firewalls persists, recover the connectivity of the managed devices to Panorama to resolve the issues.
1. Log in to the firewall CLI.
2. Reset the secure connection state.
  
  This command resets the managed device connection to Panorama and is irreversible.
  admin> request sc3 reset
3. Restart the management server on the managed device.
  admin> debug software restart process management-server
4. (Optional) If the IP address of the M-700 appliance is different from the M-500 appliance, update the panorama-server IP address.
  admin> configure admin# set deviceconfig system panorama local-panorama panorama-server <panorama-ip> [panorama-server-2 <panorama-ha-peer-ip>] admin# commit admin# exit
5. Add the device registration authentication key you copied in Step 16.
  admin> request authkey set <auth_key>
6. Verify the managed device connectivity to Panorama.
  admin> show panorama-status
  
  Verify that the IP address of the M-700 appliance appears and the Panorama server Connected status displays yes.
After you complete the migration, connectivity to the managed log collectors is lost. Recover connectivity to the managed log collectors.
1. Log in to the Dedicated Log Collector CLI.
2. Reset the secure connection state.
  
  This command resets the managed device connection to Panorama and is irreversible.
  admin> request sc3 reset
3. Restart the management server on the managed device.
  admin> debug software restart process management-server
4. (Optional) If the IP address of the M-700 appliance is different from the M-500 appliance, update the panorama-server IP address.
  admin> configure admin # set deviceconfig system panorama-server <panorama-ip> [panorama-server-2 <panorama-ha-peer-ip>] admin# Commit admin# exit
5. Add the device registration authentication key you copied in Step 16.
  admin> request authkey set <auth_key>
6. Verify the managed device connectivity to Panorama.
  admin> show panorama-status
  
  Verify that the IP address of the M-700 appliance appears and the Panorama server Connected status displays yes.
Select CommitCommit to PanoramaValidate Commit to review and resolve any configuration issues. Commit the Panorama configuration.
Synchronize the M-700 appliance with the managed devices.
1. Select CommitPush to Devices and Edit Selections.
2. Select all the devices under Device Groups, Templates, and Collector Groups, and click OK.
3. Push your changes.
4. Select PanoramaManaged DevicesSummary, and verify that all the firewalls are connected. Also, verify that the shared policy and template configurations of the firewalls are In sync with Panorama.
5. Select PanoramaManaged Collectors, and verify that the configuration status is In Sync with Panorama, and the health status is Green for all the log collectors.
(HA only) Set up the Panorama HA peer.

If the Panorama management servers are in a high availability configuration, perform the steps below on the HA peer.
1. Perform the initial setup of the M-Series appliance.
2. Add the IP address of the new Panorama.
(HA only) Modify the M-series appliance HA peer configuration.
1. On an HA peer, Log in to the Panorama Web Interface, select PanoramaHigh Availability and edit the Setup.
2. In the Peer HA IP Address field, enter the new IP address of the HA peer and click OK.
3. Select CommitCommit to Panorama and Commit your change
4. Repeat these steps on the other peer in the HA peer.
(HA only) Synchronize the Panorama peers.
1. Access the Dashboard on one of the HA peers and select WidgetsSystemHigh Availability to display the HA widget.
2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.
3. Access the Dashboard on the remaining HA peer and select WidgetsSystemHigh Availability to display the HA widget.
4. Verify that the Running Config displays Synchronized.
After you migrate, if there are connectivity issues between Panorama and the managed firewalls, recover the connectivity of the managed devices to Panorama to resolve the issues.

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Migrate from an M-600 Appliance to an M-700 Appliance