Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Procedure to migrate from an M-Series appliance to a Panorama virtual appliance on Panorama 8.0
You can migrate the Panorama configuration from an M-100, M-200, M-500, M-600 appliance to a Panorama virtual appliance in Panorama mode. However, you cannot migrate the logs because the log format on the M-Series appliances is incompatible with that on the Panorama virtual appliances. Therefore, if you want to maintain access to the old logs stored on the M-Series appliance, you must continue running the M-Series appliance as a Dedicated Log Collector after the migration and add it to the Panorama virtual appliance as a managed collector.
If your Panorama management server is part of a high availability configuration, you must deploy a second Panorama virtual appliance of the same hypervisor or cloud environment, and purchase the required device management and support licenses. See Panorama HA Prerequisites for a full list of HA requirements.
  1. Plan the migration.
    • Upgrade the M-Series appliance to PAN-OS 8.1 or later release before the migrating to the Panorama virtual appliance. To upgrade Panorama, see Install Content and Software Updates for Panorama. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
    • Schedule a maintenance window for the migration. Although firewalls can buffer logs after the M-Series appliance goes offline and then forward the logs after the Panorama virtual appliance comes online, completing the migration during a maintenance window minimizes the risk that logs will exceed the buffer capacities during the transition to a different Panorama model.
  2. Purchase management and support licenses for the new Panorama virtual appliance.
    1. Contact your sales representative to purchase the new device management and support licenses.
    2. Provide your sales representative the serial number of the M-Series appliance you plan phase out, the auth code you received when you purchased the new Panorama Virtual appliance, and the effective date for the migration. On the effective date, Palo Alto Networks will automatically apply the existing auth code to the serial number of the Panorama virtual appliance, apply the new management license to the M-Series appliance, and trigger support for the M-Series appliance. Consult your sales representative regarding how much time is available to complete the migration after the effective date.
  3. Perform the initial setup of the Panorama virtual appliance.
    1. Set Up the Panorama Virtual Appliance.
    2. Perform Initial Configuration of the Panorama Virtual Appliance to define the network connections required to activate licenses and install updates.
    3. Register Panorama.
    4. Activate a Panorama Support License.
    5. Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
    6. Install Content and Software Updates for Panorama. Install the same versions as those on the M-Series appliance.
  4. Edit the M-Series appliance Panorama interface configuration to only use the management interface.
    The Panorama virtual appliance supports only the management interface for device management and log collection.
    1. Log in to the Panorama Web Interface of the M-Series appliance.
    2. Select PanoramaSetupManagement.
    3. Edit the General Settings, modify the Hostname, and click OK.
    4. Select Interfaces and edit the Management interface to enable the required services.
    5. Disable services for the remaining interfaces.
    6. Select CommitCommit to Panorama.
  5. Add the IP address of the new Panorama virtual appliance.
    On the M-Series appliance, add the Public IP address of the Panorama virtual appliance as the second Panorama Server to manage devices from the new Panorama management server. If the Panorama virtual appliance is deployed on AWS, Azure or Googleâ„¢ Cloud Platform, use the public IP address.
    1. Select DeviceSetup.
    2. In the Template context drop-down, select the template or template stack containing the Panorama server configuration.
    3. Edit the Panorama Settings.
    4. Enter the Panorama virtual appliance public IP address and click OK.
    5. Select CommitCommit and Push.
  6. Export the configuration from the M-Series appliance.
    1. Select PanoramaSetupOperations.
    2. Click Save named Panorama configuration snapshot, enter a Name to identify the configuration, and click OK.
    3. Click Export named Panorama configuration snapshot, select the Name of the configuration you just saved, and click OK. Panorama exports the configuration to your client system as an XML file. Save the configuration to a location external to the Panorama appliance.
  7. Power off the M-Series appliance or assign a new IP address to the management (MGT) interface.
    If the M-Series appliance is in Panorama mode and has logs stored on the local Log Collector that you need access on the new Panorama virtual appliance, you must change the IP address on the M-Series appliance in order to add it to the Panorama virtual appliance as a managed Log Collector.
    • To Power off the M-Series appliance:
    1. Log in to the Panorama web interface.
    2. Select PanoramaSetupOperations, and under Device Operations, Shutdown Panorama. Click Yes to confirm the shutdown.
    • To change the IP address on the M-Series appliance:
    1. Log in to the Panorama web interface.
    2. Select PanoramaSetupManagement, and edit the Management Interface Settings.
    3. Enter the new IP Address and click OK.
    4. Select CommitCommit to Panorama and Commit your changes.
  8. Load the Panorama configuration snapshot that you exported from the M-Series appliance into the Panorama virtual appliance.
    1. Log in to the Panorama web interface of the Panorama virtual appliance, and select PanoramaSetupOperations.
    2. Click Import named Panorama configuration snapshot, Browse to the Panorama configuration file you exported from the M-Series appliance, and click OK.
    3. Click Load named Panorama configuration snapshot, select the Name of the configuration you just imported, select a Decryption Key (the master key for Panorama), and click OK. Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file.
    If errors occurred, save them to a local file. Resolve each error to ensure the migrated configuration is valid. The configuration has been loaded once the commit is successful.
  9. Change the M-Series appliance to Log Collector mode to preserve existing log data.
    Logging data is erased if you change to Log Collector mode while the logging disks are still inserted in the M-Series appliance. Logging disks must be removed before changing mode to avoid log data loss.
    Generating the metadata for each disk pair rebuilds the indexes. Therefore, depending on the data size, this process can take a long time to complete. To expedite the process, you can launch multiple CLI sessions and run the metadata regeneration command in each session to complete the process simultaneously for every pair. For details, see Regenerate Metadata for M-Series Appliance RAID Pairs.
    1. Remove the RAID disks from the old M-Series appliance.
      1. Power off the M-Series appliance by pressing the Power button until the system shuts down.
      2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-Series Appliance Hardware Reference Guides.
    2. Power on the M-Series appliance by pressing the Power button.
    3. Log in to the Panorama CLI on the old M-Series appliance.
    4. Switch from Panorama mode to Log Collector mode.
      • Switch to Log Collector mode by entering the following command:
        > request system system-mode logger
      • Enter Y to confirm the mode change. The M-Series appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M-Series appliance to see the Panorama login prompt.
        If you see a CMS Login prompt, this means the Log Collector has not finished rebooting. Press Enter at the prompt without typing a username or password.
      • Log back in to the CLI.
      • Verify that the switch to Log Collector mode succeeded:
        > show system info | match system-mode
        If the mode change succeeded, the output displays:
        > system-mode: logger
    5. Insert the disks back into the old M-Series appliance. For details, refer to the disk replacement procedure in the M-Series Appliance Hardware Reference Guides.
      You must maintain the disk pair association. Although you can place a disk pair from slot A1/A2 on the into slot B1/B2, you must keep the disks together in the same slot; otherwise, Panorama might not restore the data successfully.
    6. Enable the disk pairs by running the following CLI command for each pair:
      > request system raid add <slot> force no-format
      For example:
      > request system raid add A1 force no-format 
      > request system raid add A2 force no-format
      The force and no-format arguments are required. The force argument associates the disk pair with the new appliance. The no-format argument prevents reformatting of the drives and retains the logs stored on the disks.
    7. Generate the metadata for each disk pair.
      > request metadata-regenerate slot <slot_number>
      For example:
      > request metadata-regenerate slot 1
    8. Enable connectivity between the Log Collector and Panorama management server.
      Enter the following commands at the Log Collector CLI, where <IPaddress1> is for the MGT interface of the solitary (non-HA) or active (HA) Panorama and <IPaddress2> is for the MGT interface of the passive (HA) Panorama, if applicable.
      > configure  
      # set deviceconfig system panorama-server <IPaddress1> panorama-server-2 <IPaddress2>  
      # commit  
      # exit
  10. Synchronize the Panorama virtual appliance with the firewalls to resume firewall management.
    Complete this step during a maintenance window to minimize network disruption.
    1. On the Panorama virtual appliance, select PanoramaManaged Devices and verify that the Device State column displays the firewalls as Connected.
      At this point, the Shared Policy (device groups) and Template columns display Out of sync for the firewalls.
    2. Push your changes to device groups and templates:
      1. Select CommitPush to Devices and Edit Selections.
      2. Select Device Groups, select every device group, and Include Device and Network Templates.
      3. Select Collector Groups, select every collector group, and click OK.
      4. Push your changes.
    3. In the PanoramaManaged Devices page, verify that the Shared Policy and Template columns display In sync for the firewalls.
  11. (HA only) Set up the Panorama HA peer.
    If the Panorama management servers are in a high availability configuration, perform the steps below on the HA peer.
    1. Perform the initial setup of the Panorama virtual appliance.
    2. Edit the M-Series appliance Panorama interface configuration to only use the management interface.
    3. Add the IP address of the new Panorama virtual appliance.
    4. Power off the M-Series appliance or assign a new IP address to the management (MGT) interface.
    5. Change the M-Series appliance to Log Collector mode to preserve existing log data.
  12. (HA only) Modify the Panorama virtual appliance HA peer configuration.
    1. On an HA peer, Log in to the Panorama Web Interface, select PanoramaHigh Availability and edit the Setup.
    2. In the Peer HA IP Address field, enter the new IP address of the HA peer and click OK.
    3. Select CommitCommit to Panorama and Commit your change
    4. Repeat these steps on the other peer in the HA peer.
  13. (HA only) Synchronize the Panorama peers.
    1. Access the Dashboard on one of the HA peers and select WidgetsSystemHigh Availability to display the HA widget.
    2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.
    3. Access the Dashboard on the remaining HA peer and select WidgetsSystemHigh Availability to display the HA widget.
    4. Verify that the Running Config displays Synchronized.

Related Documentation