If you have already deployed Palo Alto Networks firewalls and configured them locally, but now want to use Panorama for centrally managing them, you must perform pre-migration planning. The migration involves importing firewall configurations into Panorama and verifying that the firewalls function as expected after the transition. If some settings are unique to individual firewalls, you can continue accessing the firewalls to manage the unique settings. You can manage any given firewall setting by pushing its value from Panorama or by configuring it locally on the firewall, but you cannot manage the setting through both Panorama and the firewall. If you want to exclude certain firewall settings from Panorama management, you can either:
Migrate the entire firewall configuration and then, on Panorama, delete the settings that you will manage locally on firewalls. You can also Override a Template Setting that Panorama pushes to a firewall instead of deleting the setting on Panorama. Load a partial firewall configuration, including only the settings that you will use Panorama to manage.
Firewalls do not lose logs during the transition to Panorama management.
Plan the Transition to Panorama Management
The following tasks are a high-level overview of the planning required to migrate firewalls to Panorama management:
Decide which firewalls to migrate. Determine the Panorama and firewall software and content versions, and how you will Manage Licenses and Updates. For important details, see Panorama, Log Collector, and Firewall Version Compatibility. Plan Your Deployment for Panorama with respect to the URL filtering database (BrightCloud or PAN-DB), log collection, and administrator roles. Plan how to manage shared settings.
Plan the Device Group Hierarchy, Templates and Template Stacks in a way that will reduce redundancy and streamline the management of settings that are shared among all firewalls or within firewall sets. During the migration, you can select whether to import objects from the Shared location on the firewall into Shared on Panorama, with the following exceptions:
If a shared firewall object has the same name and value as an existing shared Panorama object, the import excludes that firewall object. If the name or value of the shared firewall object differs from an existing shared Panorama object, Panorama imports the firewall object into each new device group that is created for the import. If a configuration imported into a template references a shared firewall object, or if a shared firewall object references a configuration imported into a template, Panorama imports the object as a shared object regardless of whether you select the Import devices' shared objects into Panorama's shared context check box. Determine if the firewall has configuration elements (policies, objects, and other settings) that you don’t want to import, either because Panorama already contains similar elements or because those elements are firewall-specific (for example, timezone settings) and you won’t use Panorama to manage them. You can perform a global find to determine if similar elements exist on Panorama. Decide the common zones for each device group. This includes a zone-naming strategy for the firewalls and virtual systems in each device group. For example, if you have zones called Branch LAN and WAN, Panorama can push policy rules that reference those zones without being aware of the variations in port or media type, model, or logical addressing schema. Create a post-migration test plan.
You will use the test plan to verify that the firewalls work as efficiently after the migration as they did before. The plan might include tasks such as:
Monitor the firewalls for at least 24 hours after the migration. Monitor Panorama and firewall logs for anomalies. Check administrator logins on Panorama. Test various types of traffic from multiple sources. For example, check bandwidth graphs, session counts, and deny-rule traffic log entries (see Use Panorama for Visibility). The testing should cover a representative sample of policy configurations. Check with your network operations center (NOC) and security operations center (SOC) for any user-reported issues. Include any other test criteria that will help verify firewall functionality.
Migrate a Firewall to Panorama Management
When you import a firewall configuration, Panorama automatically creates a template to contain the imported network and device settings. To contain the imported policies and objects, Panorama automatically creates one device group for each firewall or one device group for each virtual system (vsys) in a multi-vsys firewall.
When you perform the following steps, Panorama imports the entire firewall configuration. Alternatively, you can Load a Partial Firewall Configuration into Panorama.
Panorama can import configurations from firewalls that run PAN-OS 5.0 or later releases and can push configurations to those firewalls. The exception is that Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0 through 6.0.3. Panorama can import configurations from firewalls that are already managed devices but only if they are not already assigned to device groups or templates.
Migrate a Firewall to Panorama Management
Plan the migration. See the checklist in Plan the Transition to Panorama Management.
Add the firewall as a managed device. Add a Firewall as a Managed Device: Log in to Panorama, select Panorama > Managed Devices and click Add. Enter the serial number of the firewall and click OK. If you will import multiple firewall configurations, enter the serial number of each one on a separate line. Optionally, you can copy and paste the serial numbers from a Microsoft Excel worksheet. Click Commit, for the Commit Type select Panorama, and click Commit again.
Set up a connection from the firewall to Panorama. Log in to the firewall, select Device > Setup, and edit the Panorama Settings. In the Panorama Servers fields, enter the IP addresses of the Panorama management server. Click OK and Commit.
Import the firewall configuration into Panorama. If you later decide to re-import a firewall configuration, first remove the firewall or its virtual systems from the device groups and template where you originally imported them. (Firewalls don’t lose logs when you remove them from device groups or templates.) Because the imported policies and objects remain in the device groups, you must manually move, edit, or delete them when necessary. When re-importing, use the Device Group Name Prefix fields to define device group names that differ from the ones Panorama created in the original import. From Panorama, select Panorama > Setup > Operations, click Import device configuration to Panorama, and select the Device. Panorama can’t import a configuration from a firewall that is assigned to an existing device group or template. Enter a Template Name. The default value is the firewall name. You can’t use the name of an existing template. For a multi-vsys firewall, optionally add a character string as a Device Group Name Prefix for all the device groups. ( Optional ) Edit the Device Group names. If this is a multi-vsys firewall, each device group has a vsys name by default. Otherwise, the default value is the firewall name. You can’t use the names of existing device groups. The Import devices' shared objects into Panorama's shared context check box is selected by default, which means Panorama compares imports objects that belong to the Shared location in the firewall to Shared in Panorama. If an imported object is not in the Shared context of the firewall, it is applied to each device group being imported. If you clear the check box, Panorama copies will not compare imported objects, and apply all shared firewall objects into device groups being imported instead of Shared. This could create duplicate objects, so selecting the check box is a best practice in most cases. To understand the consequences of importing shared or duplicate objects into Panorama, see Plan how to manage shared settings. Select a Rule Import Location for the imported policy rules: Pre Rulebase or Post Rulebase. Regardless of your selection, Panorama imports default security rules (intrazone-default and interzone-default) into the post-rulebase. If Panorama has a rule with the same name as a firewall rule that you import, Panorama displays both rules. Delete one of the rules before performing a Panorama commit to prevent a commit error. Click OK. Panorama displays the import status, result, details about your selections, details about what was imported, and any warnings. Click Close.
Fine-tune the imported configuration. In Panorama, select Panorama > Config Audit, select the Running config and Candidate config for the comparison, click Go, and review the output. Update the device group and template configurations as needed based on the configuration audit and any warnings that Panorama displayed after the import. For example: Delete redundant objects and policy rules. Move or Clone a Policy Rule or Object to a Different Device Group. Move firewalls to different device groups or templates. Move a device group that Panorama created during the import to a different parent device group: Select Panorama > Device Groups, select the device group you want to move, select a new Parent Device Group, and click OK.
Push the firewall configuration bundle to the firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step. Click Commit, for the Commit Type select Panorama, and click Commit again. Panorama creates a firewall configuration bundle named <firewall_name>_import.tgz, in which all policies and objects are removed. In Panorama, select Panorama > Setup > Operations and click Export or push device config bundle. Select the Device from which you imported the configuration, click OK, and click Push & Commit. Panorama pushes the bundle and initiates a commit on the firewall.
Push the device group and template configurations to the firewall to complete the transition to centralized management. If you are migrating multiple firewalls, perform all the preceding steps—including this one—for each firewall before continuing. In Panorama, click Commit and for the Commit Type select Device Group. Select the Merge with Device Candidate Config, Include Device and Network Templates and Force Template Values check boxes. Select the device groups that contain the imported firewall configurations and click Commit.
Consolidate all the imported firewall configurations. Required if you are migrating multiple firewalls. Settings might be duplicated among the firewalls. For example, if you imported an object with the same name from two firewalls, you must delete one object in Panorama before performing a commit on Panorama. After importing all the firewall configurations, update the device groups and templates as needed to eliminate redundancy and streamline configuration management: see Fine-tune the imported configuration. (You don’t need to push firewall configuration bundles again.) Configure any firewall-specific settings. If the firewalls will have local zones, you must create them before performing a device group or template commit; Panorama can’t poll the firewalls for zone name or zone configuration. If you will use local firewall rules, ensure their names are unique (not duplicated in Panorama). If necessary, you can Override a Template Setting with a firewall-specific value. In Panorama, click Commit, for the Commit Type select Device Group, select the device groups, select the Include Device and Network Templates check box, and click Commit.
Perform your post-migration test plan. Perform the verification tasks that you devised during the migration planning to confirm that the firewalls work as efficiently with the Panorama-pushed configuration as they did with their original local configuration: see Create a post-migration test plan.
Migrate a Firewall HA Pair to Panorama Management
If you have a pair of firewalls in an HA configuration that you want to manage using Panorama, you have the option to import the configuration local to your firewall HA pair to Panorama without needing to recreate any configurations or policies. You will first import the firewall configurations to Panorama, which are then created into a device group and template. You will perform a special configuration push of the device group and template to the firewalls to overwrite the local firewall configurations and synchronize the firewalls with Panorama.
Migrate a Firewall HA Pair to Panorama Management
Plan the migration. See the checklist in Plan the Transition to Panorama Management.
Disable configuration synchronization between the HA peers. Repeat these steps for both firewalls in the HA pair. Log in to the web interface on each firewall, select Device > High Availability > General and edit the Setup section. Clear Enable Config Sync and click OK. Commit the configuration changes on each firewall.
Connect each firewall to Panorama. If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 5. Repeat these steps for both firewalls in the HA pair. Log in to the web interface on each firewall, select Device > Setup > Management and edit the Panorama Settings. In the Panorama Servers fields, enter the IP addresses of the Panorama management servers, confirm Panorama Policy and Objects and Device and Network Template are enabled and select OK. Commit the configuration changes on each firewall.
Add each firewall as a managed device. If Panorama is already receiving logs from these firewalls, you do not need to perform this step. Continue to Step 5. Add a Firewall as a Managed Device: Log in to Panorama, select Panorama > Managed Devices and click Add. Enter the serial number of each firewall and click OK. Select Commit > Commit to Panorama and Commit your changes. Verify that the Device State for each firewall is Connected.
Import each firewall configuration into Panorama. If you later decide to re-import a firewall configuration, first remove the firewall device groups and template where you originally imported them. (Firewalls don’t lose logs when you remove them from device groups or templates.) Because the imported policies and objects remain in the device groups, you must manually move, edit, or delete them when necessary. When re-importing, use the Device Group Name Prefix fields to define device group names that differ from the ones Panorama created in the original import. From Panorama, select Panorama > Setup > Operations, click Import device configuration to Panorama, and select the Device. Panorama can’t import a configuration from a firewall that is assigned to an existing device group or template. Edit the Template Name. The default value is the firewall name. You can’t use the name of an existing template. ( Optional ) Edit the Device Group names. For a multi-vsys firewall, each device group has a vsys name by default, so add a character string as a Device Group Name Prefix for each. Otherwise, the default value is the firewall name. You can’t use the names of existing device groups. The Import devices' shared objects into Panorama's shared context check box is selected by default, which means Panorama compares imports objects that belong to the Shared location in the firewall to Shared in Panorama. If an imported object is not in the shared context of the firewall, it is applied to each device group being imported. If you clear the check box, Panorama copies will not compare imported objects, and apply all shared firewall objects into device groups being imported instead of Shared. This could create duplicate objects, so selecting the check box is a best practice in most cases. To understand the consequences of importing shared or duplicate objects into Panorama, see Plan how to manage shared settings. Repeat Step 1-3 above on the second firewall. The process will create a device group and template for the firewall. Commit to Panorama. The import process does not import the HA IP addresses and management IP address of the firewalls. These IP addresses will continue to be defined locally on the device. Add the HA firewall pair into the same device group and template. If the HA pair are in an active/active configuration, skip this step. If the HA pair are in an active/passive configuration and have differing configurations, avoid combining both firewalls into a single template. Select Panorama > Device Group, select the device group of the second firewall and Delete it. Select the device group for the first firewall, select the second firewall, click OK and Commit to Panorama to add it to the same device group as the HA peer. Select Panorama > Templates, select the template for the second firewall and Delete it. Select the template for the first firewall, add the second firewall, select OK and Commit to Panorama to add it to the same template as the HA peer.
Push the configuration to the firewalls. Push the device configuration bundle to the firewalls in order to remove all local policy configurations from the firewalls and replace them with the configuration you manage from Panorama. HA Config Sync in Step 3 must be disabled on both firewalls before you push the device group and template. Push the configuration to the passive firewall. In Panorama, select Panorama > Setup > Operations and select Export or push device config bundle. Select the passive firewall Device, select OK and Push & Commit. Select OK after the export has completed successfully. Click Commit Select Templates and enable Force Template Values. Select Device Group and enable Include Device and Network Templates and Force Template Values. Commit the configuration on the passive firewall only. Select Panorama > Managed Devices, and verify that the device group and template are in sync for the passive firewall. Verify policy rules, objects and network settings on the passive firewall match the active firewall. Suspend the active firewall to trigger a failover. On the active firewall, select Device > High Availability > Operational Commands and Suspend local device, and click OK to promote the passive firewall to active. Verify that traffic is passing and everything is operating as expected. Repeat Step 1 (a to h) above on the firewall you suspended. On Panorama, click Commit and Commit the configuration to the suspended firewall only. Restore the suspended firewall as the active HA peer. Select Device > High Availability > Operational Commands and Make local device functional to trigger a failover and transition the currently passive firewall peer back as the active HA peer.
Enable configuration synchronization between the HA peers. Repeat these steps for both firewalls in the HA pair if you plan on maintaining a local configuration that needs to be synchronized Log in to the web interface on each firewall, select Device > High Availability > General and edit the Setup section. Select Enable Config Sync and click OK. Commit the configuration changes on each firewall.
Load a Partial Firewall Configuration into Panorama
If some configuration settings on a firewall are common to other firewalls, you can load those specific settings into Panorama and then push them to all the other firewalls or to the firewalls in particular device groups and templates.
Load a Partial Firewall Configuration into Panorama
Plan the transition to Panorama. See the checklist in Plan the Transition to Panorama Management.
Resolve how to manage duplicate settings, which are those that have the same names in Panorama as in a firewall. Before you load a partial firewall configuration, Panorama and that firewall might already have duplicate settings. Loading a firewall configuration might also add settings to Panorama that are duplicates of settings in other managed firewalls. If Panorama has policy rules or objects with the same names as those on a firewall, a commit failure will occur when you try to push device group settings to that firewall. If Panorama has template settings with the same names as those on a firewall, the template values will override the firewall values when you push the template. On Panorama, perform a global find to determine if duplicate settings exist. Delete or rename the duplicate settings on the firewall if you will use Panorama to manage them, or delete or rename the duplicate settings on Panorama if you will use the firewall to manage them. If you will use the firewall to manage device or network settings, instead of deleting or renaming the duplicates on Panorama, you can also push the settings from Panorama ( Step 6) and then Override a Template Setting on the firewall with firewall-specific values.
Export the entire firewall configuration to your local computer. On the firewall, select Device > Setup > Operations. Click Save named configuration snapshot, enter a Name to identify the configuration, and click OK. Click Export named configuration snapshot, select the Name of the configuration you just saved, and click OK. The firewall exports the configuration as an XML file.
Import the firewall configuration snapshot into Panorama. On Panorama, select Panorama > Setup > Operations. Click Import named Panorama configuration snapshot, Browse to the firewall configuration file you exported to your computer, and click OK. After using this option to import a firewall configuration file, you can’t use the Panorama web interface to load it. You must use the XML API or CLI, as described in the next step.
Load the desired part of the firewall configuration into Panorama. To specify a part of the configuration (for example, all application objects), you must identify the: Source xpath—The XML node in the firewall configuration file from which you are loading. Destination xpath—The node in the Panorama configuration to which you are loading. Use the XML API or CLI to identify and load the partial configuration: Use the firewall XML API or CLI to identify the source xpath. For example, the xpath for application objects in vsys1 of the firewall is: /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application Use the Panorama XML API or CLI to identify the destination xpath. For example, to load application objects into a device group named US-West, the xpath is: /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application Use the Panorama CLI to load the configuration and commit the change: # load config partial from <filename> from-xpath <source-xpath> to-xpath <destination-xpath> mode [append|merge|replace] For example, enter the following to load the application objects from vsys1 on an imported firewall configuration named fw1-config.xml into a device group named US-West on Panorama: # load config partial from fw1-config.xml from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='US-West']/application mode merge # commit
Push the partial configuration from Panorama to the firewall to complete the transition to centralized management. On the firewall, delete any rules or objects that have the same names as those in Panorama. If the device group for that firewall has other firewalls with rules or objects that are duplicated in Panorama, perform this step on those firewalls also. For details, see Step 2. On Panorama, click Commit, for the Commit Type select Panorama, and click Commit again. On Panorama, click Commit and for the Commit Type select Device Group. Select the Merge with Device Candidate Config, Include Device and Network Templates and Force Template Values check boxes. Select the device groups that contain the imported firewall configurations and click Commit. If the firewall has a device or network setting that you won’t use Panorama to manage, Override a Template Setting on the firewall.
Perform your post-migration test plan. Perform the verification tasks that you devised during the migration planning to confirm that the firewall works as efficiently with the Panorama-pushed configuration as it did with its original local configuration: see Create a post-migration test plan.

Related Documentation