1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Set Up Panorama
    5. Transition to a Different Panorama Model
    6. Migrate from an M-Series Appliance to a Panorama Virtual Appliance

    Migrate from an M-Series Appliance to a Panorama Virtual Appliance

    Procedure to migrate from an M-Series appliance to a Panorama virtual appliance on Panorama 9.1
    You can migrate the Panorama configuration from an M-100, M-200, M-500, M-600 appliance to a Panorama virtual appliance in Panorama mode. However, you cannot migrate the logs because the log format on the M-Series appliances is incompatible with that on the Panorama virtual appliances. Therefore, if you want to maintain access to the old logs stored on the M-Series appliance, you must continue running the M-Series appliance as a Dedicated Log Collector after the migration and add it to the Panorama virtual appliance as a managed collector.
    If your Panorama management server is part of a high availability configuration, you must deploy a second Panorama virtual appliance of the same hypervisor or cloud environment, and purchase the required device management and support licenses. See Panorama HA Prerequisites for a full list of HA requirements.
    1. Plan the migration.
      • Upgrade the M-Series appliance to PAN-OS 9.1 or later release before the migrating to the Panorama virtual appliance. To upgrade Panorama, see Install Content and Software Updates for Panorama. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
      • Schedule a maintenance window for the migration. Although firewalls can buffer logs after the M-Series appliance goes offline and then forward the logs after the Panorama virtual appliance comes online, completing the migration during a maintenance window minimizes the risk that logs will exceed the buffer capacities during the transition to a different Panorama model.
    2. Purchase management and support licenses for the new Panorama virtual appliance.
      1. Contact your sales representative to purchase the new device management and support licenses.
      2. Provide your sales representative the serial number of the M-Series appliance you to plan phase out, the serial number and support auth code you received when you purchased the new Panorama virtual appliance, and the date when you expect your migration from the old device to the new virtual appliance to be completed. Before the migration date, register the serial number and activate support auth code on the new virtual appliance so that you can begin your migration. The capacity auth code on the old M-Series appliance is automatically removed on the expected migration completion date you provided.
    3. Perform the initial setup of the Panorama virtual appliance.
    4. Edit the M-Series appliance Panorama interface configuration to only use the management interface.
      The Panorama virtual appliance supports only the management interface for device management and log collection.
      1. Log in to the Panorama Web Interface of the M-Series appliance.
      2. Select
        Panorama
        Setup
        Management
        .
      3. Edit the General Settings, modify the
        Hostname
        , and click
        OK
        .
      4. Select
        Interfaces
         and edit the
        Management
         interface to enable the required services.
      5. Disable services for the remaining interfaces.
      6. Select
        Commit
        Commit to Panorama
        .
    5. Add the IP address of the new Panorama virtual appliance.
      On the M-Series appliance, add the Public IP address of the Panorama virtual appliance as the second Panorama Server to manage devices from the new Panorama management server. If the Panorama virtual appliance is deployed on AWS, Azure or Google™ Cloud Platform, use the public IP address.
      1. Select
        Device
        Setup
        .
      2. In the Template context drop-down, select the template or template stack containing the Panorama server configuration.
      3. Edit the Panorama Settings.
      4. Enter the Panorama virtual appliance public IP address and click
        OK
        .
      5. Select
        Commit
        Commit and Push
        .
    6. Export the configuration from the M-Series appliance.
      1. Select
        Panorama
        Setup
        Operations
        .
      2. Click
        Save named Panorama configuration snapshot
        , enter a
        Name
         to identify the configuration, and click
        OK
        .
      3. Click
        Export named Panorama configuration snapshot
        , select the
        Name
         of the configuration you just saved, and click
        OK
        . Panorama exports the configuration to your client system as an XML file. Save the configuration to a location external to the Panorama appliance.
    7. Power off the M-Series appliance or assign a new IP address to the management (MGT) interface.
      If the M-Series appliance is in Panorama mode and has logs stored on the local Log Collector that you need access on the new Panorama virtual appliance, you must change the IP address on the M-Series appliance in order to add it to the Panorama virtual appliance as a managed Log Collector.
      • To Power off the M-Series appliance:
      1. Log in to the Panorama web interface.
      2. Select
        Panorama
        Setup
        Operations
        , and under Device Operations,
        Shutdown Panorama
        . Click
        Yes
         to confirm the shutdown.
      • To change the IP address on the M-Series appliance:
      1. Log in to the Panorama web interface.
      2. Select
        Panorama
        Setup
        Management
        , and edit the Management Interface Settings.
      3. Enter the new
        IP Address
         and click
        OK
        .
      4. Select
        Commit
        Commit to Panorama
         and
        Commit
         your changes.
    8. Load the Panorama configuration snapshot that you exported from the M-Series appliance into the Panorama virtual appliance.
      The Panorama
      Policy
      rule
      Creation
       and
      Modified
       dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universially unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
      The
      Creation
       and
      Modified
       for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
      1. Log in to the Panorama web interface of the Panorama virtual appliance, and select
        Panorama
        Setup
        Operations
        .
      2. Click
        Import named Panorama configuration snapshot
        ,
        Browse
         to the Panorama configuration file you exported from the M-Series appliance, and click
        OK
        .
      3. Click
        Load named Panorama configuration snapshot
        , select the
        Name
         of the configuration you just imported, select a
        Decryption Key
         (the master key for Panorama), and click
        OK
        . Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file.
      If errors occurred, save them to a local file. Resolve each error to ensure the migrated configuration is valid. The configuration has been loaded once the commit is successful.
    9. Change the M-Series appliance to Log Collector mode to preserve existing log data.
      Logging data is erased if you change to Log Collector mode while the logging disks are still inserted in the M-Series appliance. Logging disks must be removed before changing mode to avoid log data loss.
      Generating the metadata for each disk pair rebuilds the indexes. Therefore, depending on the data size, this process can take a long time to complete. To expedite the process, you can launch multiple CLI sessions and run the metadata regeneration command in each session to complete the process simultaneously for every pair. For details, see Regenerate Metadata for M-Series Appliance RAID Pairs.
      1. Remove the RAID disks from the old M-Series appliance.
        1. Power off the M-Series appliance by pressing the Power button until the system shuts down.
        2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-Series Appliance Hardware Reference Guides.
      2. Power on the M-Series appliance by pressing the Power button.
      3. If an
        admin
         administrator account already is already created, continue to the next step.
        An
        admin
         account with superuser privileges must be created before you switch to Log Collector mode or you lose access to the M-Series appliance after switching modes.
      4. Log in to the Panorama CLI on the old M-Series appliance.
      5. Switch from Panorama mode to Log Collector mode.
        • Switch to Log Collector mode by entering the following command:
          > 
          request system system-mode logger
        • Enter
          Y
           to confirm the mode change. The M-Series appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M-Series appliance to see the Panorama login prompt.
          If you see a
          CMS Login
           prompt, this means the Log Collector has not finished rebooting. Press Enter at the prompt without typing a username or password.
        • Log back in to the CLI.
        • Verify that the switch to Log Collector mode succeeded:
          > 
          show system info | match system-mode
          If the mode change succeeded, the output displays:
          > 
          system-mode: logger
      6. Insert the disks back into the old M-Series appliance. For details, refer to the disk replacement procedure in the M-Series Appliance Hardware Reference Guides.
        You must maintain the disk pair association. Although you can place a disk pair from slot A1/A2 on the into slot B1/B2, you must keep the disks together in the same slot; otherwise, Panorama might not restore the data successfully.
      7. Enable the disk pairs by running the following CLI command for each pair:
        > 
        request system raid add 
        <slot>
         force no-format
        For example:
        > 
        request system raid add A1 force no-format
         
> 
        request system raid add A2 force no-format
        The
        force
         and
        no-format
         arguments are required. The
        force
         argument associates the disk pair with the new appliance. The
        no-format
         argument prevents reformatting of the drives and retains the logs stored on the disks.
      8. Generate the metadata for each disk pair.
        > 
        request metadata-regenerate slot 
        <slot_number>
        For example:
        > 
        request metadata-regenerate slot 1
      9. Enable connectivity between the Log Collector and Panorama management server.
        Enter the following commands at the Log Collector CLI, where
        <IPaddress1>
         is for the MGT interface of the solitary (non-HA) or active (HA) Panorama and
        <IPaddress2>
         is for the MGT interface of the passive (HA) Panorama, if applicable.
        > 
        configure
          
# 
        set deviceconfig system panorama-server 
        <IPaddress1>
         panorama-server-2 
        <IPaddress2>
          
# 
        commit
          
# 
        exit
    10. Synchronize the Panorama virtual appliance with the firewalls to resume firewall management.
      Complete this step during a maintenance window to minimize network disruption.
      1. On the Panorama virtual appliance, select
        Panorama
        Managed Devices
         and verify that the Device State column displays the firewalls as
        Connected
        .
        At this point, the Shared Policy (device groups) and Template columns display
        Out of sync
         for the firewalls.
      2. Push your changes to device groups and templates:
        1. Select
          Commit
          Push to Devices
           and
          Edit Selections
          .
        2. Select
          Device Groups
          , select every device group, and
          Include Device and Network Templates
          .
        3. Select
          Collector Groups
          , select every collector group, and click
          OK
          .
        4. Push
           your changes.
      3. In the
        Panorama
        Managed Devices
         page, verify that the Shared Policy and Template columns display
        In sync
         for the firewalls.
    12. (
      HA only
      ) Modify the Panorama virtual appliance HA peer configuration.
      1. On an HA peer, Log in to the Panorama Web Interface, select
        Panorama
        High Availability
         and edit the
        Setup
        .
      2. In the
        Peer HA IP Address
         field, enter the new IP address of the HA peer and click
        OK
        .
      3. Select
        Commit
        Commit to Panorama
         and
        Commit
         your change
      4. Repeat these steps on the other peer in the HA peer.
    13. (
      HA only
      ) Synchronize the Panorama peers.
      1. Access the
        Dashboard
         on one of the HA peers and select
        Widgets
        System
        High Availability
         to display the HA widget.
      2. Sync to peer
        , click
        Yes
        , and wait for the
        Running Config
         to display
        Synchronized
        .
      3. Access the
        Dashboard
         on the remaining HA peer and select
        Widgets
        System
        High Availability
         to display the HA widget.
      4. Verify that the
        Running Config
         displays
        Synchronized
        .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo