>
    Strata Copilot
    Migrate from Panorama to Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Activation & Onboarding
    4. Migrate from Panorama to Strata Cloud Manager
    Download PDF
    Strata Cloud Manager

    Migrate from Panorama to Strata Cloud Manager

    Table of Contents

    Migrate from Panorama to Strata Cloud Manager

    Learn about migrating your Prisma Access or NGFW deployments from Panorama to Strata Cloud Manager using the automated migration workflow.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama)
    • Prisma Access (Managed by Panorama)
    Migrating NGFWs:
    Migrating Prisma Access:
    • Prisma Access license
    • To begin the migration from Prisma Access (Managed by Panorama) to Prisma Access (Managed by Strata Cloud Manager), reach out to your Palo Alto Networks account team
    Migration from Panorama to Strata Cloud Manager is now available for both Prisma Access and NGFW Panorama configurations, allowing you the benefits of cloud management and shared configuration management in the cloud environment. The migration process addresses considerations such as configuration preservation and policy continuity.
    For NGFW deployments, you can follow this workflow to review configuration compatibility, even if you're not yet ready to migrate. You can decide to trim or accept any features that aren't supported or are partially supported for Strata Cloud Manager configuration management. During migration, Strata Cloud Manger converts Panorama device group hierarchies into corresponding Strata Cloud Manager folder structures, and converts Panorama templates and template stacks into reusable snippets.
    For Prisma Access deployments, migrations focus on preserving your remote access infrastructure, mobile user configurations, and site-to-site connectivity while transitioning management oversight to Strata Cloud Manager.

    Migrate Configurations From Panorama to Strata Cloud Manager (NGFW)

    Learn about the migration process for migrating your NGFW deployments from Panorama to Strata Cloud Manager.
    This feature is available on request. Contact your account team to enable the feature.
    You can migrate your existing NGFW configurations from Panorama to Strata Cloud Manager for cloud-based configuration management.
    During the migration, Strata Cloud Manager:
    • Copies and translates supported security policies, network configurations, and objects.
    • Maintains existing network topology and NGFW deployments.
    • Highlights areas that are partially supported or unsupported.
    Managing your NGFWs using Strata Cloud Manager instead of Panorama can offer you benefits such as unified management for Prisma Access and NGFWs, cloud-native scalability of your network, and enhanced visibility.
    Strata Cloud Manager guides you through migrating your configurations with these key steps:
    • Upload existing configurations — Import your current Panorama configurations.
    • Run compatibility assessment — Identify unsupported features or configurations that need attention.
    • Perform validation and prepare for deployment — Complete final checks before migration.
    • Migration control — Devices and device groups can be migrated in phases, allowing you to migrate non-critical devices or go site-by-site.
    Review results at each step, make necessary adjustments, and verify that your configurations are fully compatible with Strata Cloud Manager before completing the migration.

    How Configuration Management Changes When You Move from Panorama to Strata Cloud Manager

    Panorama configuration management is based on:
    • Device Groups — Organize firewalls into hierarchical groups for security policy management (security rules, NAT policies, application filters).
    • Templates and Template Stacks — Define network and device settings (interfaces, zones, routing, system settings).
    • Inheritance — Device Groups inherit policies from parent groups; Template Stacks layer multiple templates with override capabilities.
    Strata Cloud Manager configuration management is based on:
    • Folders — Hierarchical containers that hold both security policies AND network configurations.
    • Snippets — Reusable configuration blocks that can be attached to folders at any level.
    • Containers — Device-specific configuration holders for unique firewall requirements .
    During migration, Strata Cloud Manager converts your Panorama-based configuration and builds it into folders and snippets:
    PanoramaStrata Cloud Manager
    Device GroupsFolders
    Templates & Template StacksSnippets
    Policies and ProfilesSnippets
    Shared ObjectsGlobal folder as an attached Snippet
    Policies in Device GroupsPolicies under mapped Folder(s)
    Objects (addresses, EDLs, etc.)Objects under mapped Folder(s)
    Key difference between Panorama and Strata Cloud Manager to keep in mind:
    • Strata Cloud Manager Folders contain both network and security configurations, while Panorama separates these between Templates and Device Groups
    • Strata Cloud Manager Folders provide more flexible inheritance with Snippet-based overrides versus the lower-level group overrides seen in Panorama
    • Strata Cloud Manager Snippets provide a more plug-and-play approach to configurations compared to Panorama's Templates and Template stacks that are inherited down the stack.
    After migration, you manage configurations through the folder and snippet model. Snippet attachment order determines configuration precedence, providing granular control over how multiple configuration sources combine. You can also create device-specific containers for NGFWs requiring unique configurations outside the folder inheritance model.
    Additional Resources
    Learn more about Device Groups and Templates.
    Learn more about Snippets and Folders

    Prepare to Migrate Your Panorama NGFW Configurations to Strata Cloud Manager

    Before beginning the migration, ensure you have the following items ready:
    • Minimum Software Requirements: PAN-OS 10.2.3 or later
    • Export Panorama Configuration File: Export the complete running configuration from your source Panorama instance in XML format
    • Panorama Master Key: Obtain the master key used for encryption in your Panorama configuration (if not using the default key)
    • Strata Cloud Manager Tenant: Verify that your Strata Cloud Manager tenant is deployed, properly licensed, and operational
    • NGFW Configuration: Collect the last-pushed configuration files (Technical Support Files) from NGFWs you plan to validate post-migration
    • Network Topology: Review your current device group hierarchies, template relationships, and NGFW assignments
    • Configuration Backup: Create complete backups of your current Panorama and NGFW configurations as a safety measure
    • Administrative Access: Ensure you have access to the Superuser role in both Panorama and Strata Cloud Manager.
    • Migration Planning: Identify which device groups, templates, and NGFWs you want to migrate in your initial phase
    • Compatibility Matrix: Understand which features may not be supported in Strata Cloud Manager and plan for any necessary configuration adjustments
    • Unsupported Functionalities: Migration of configurations to Strata Cloud Manager is not supported if the intrazone-default and interzone-default policies have been overwritten at the Device Group level. If these default security rules are overwritten, the migration tool cannot process the Panorama configuration. You must remove these overwritten policies from Panorama, commit your changes, and re-export the running-config.xml before attempting the migration.

    Migrate Your Panorama NGFW Configurations to Strata Cloud Manager

    Migrate your NGFW configurations from Panorama to Strata Cloud Manager:
    1. Prepare your Panorama for the migration.
      1. Log in to the Panorama that manages your NGFWs with an administrative account that is assigned the Superuser role.
      2. (Optional) If you have configured a custom Master Key for Panorama, make a note of it.
        If your deployment uses the default Master Key, this step isn't required.
      3. Ensure that your current Panorama configuration is up to date and that you have committed and pushed all your current changes to Panorama by going to CommitCommit & Push and Preview Changes.
      4. (Optional) Check the diffs between the running configuration and the candidate configuration and determine whether you want to push those changes. To commit and push the changes, Edit Selections and select the NGFWs you want to push in the Push Scope.
      5. (Optional) Commit and Push your changes.
      6. Go to PanoramaSetupOperations and Export the named Panorama configuration snapshot.
        The .xml file is required to upload to Strata Cloud Manager during the migration process. Don't upload a techsupport file or any other file except an .xml configuration file.
      7. Select the running-config.xml configuration file and click OK.
    2. Log in to Strata Cloud Manager as an administrator with a Superuser role and go to ConfigurationOnboarding.
      The migration program detects that you have a Panorama managed deployment.
      1. Confirm the tenant is correct.
      2. (Optional) Create a Named Snapshot of your running configuration in the event that a rollback is necessary.
      Migration should not be attempted during an Strata Cloud Manager upgrade window. Check your upgrade schedule to see if you have an upcoming upgrade.
    3. Read the migration Overview.
      1. Review the management building blocks of Strata Cloud Manager: Folders and Snippets.
      2. Click Next: Upload Panorama Configuration.
    4. Upload the Panorama configuration.
      1. Select the Panorama configuration .xml file you downloaded in an earlier step by dragging and dropping it from your file explorer or selecting Choose File.
      2. (Optional) Input your Master Key or, if you did not create a custom master key, use the Default one.
      3. Click Next: Review Migration Compatibility.
      If the migration tool produces any errors that cannot resolve automatically, you may have a configuration that is unsupported. Click Cancel Migration, remove these overwritten policies from your Panorama configuration, re-export the configuration file, and restart the migration process.
    5. Review the configuration compatibility.
      1. (Optional) Export Compatibility Summary and review your organization’s configuration compatibility before continuing and allowing Strata Cloud Manager to trim any unsupported or partially supported configurations.
        The trimming of unsupported and partially supported features avoids migrating features that cannot be deployed safely or securely in Strata Cloud Manager.
        This process will only impact the staged configuration for Strata Cloud Manager. The configurations in Panorama will remain unaffected.
        For each flagged area, you should plan to rebuild, replace, or defer those configurations.
      2. Review the Unsupported Features that will be trimmed from your configuration during the migration.
        These features will be trimmed from your configurations and will not be staged in Strata Cloud Manager during the configuration migration process.
      3. Review the Partially Supported Features and determine a resolution path.
        Identify what exactly is going to be missing from the configuration.
        You can accept the partially supported features and build a remediation plan post-migration or return to your Panorama configuration and clean these areas up before starting the migration process again.
      4. Acknowledge the unsupported and partially supported features.
      5. Click Next: Select Device Groups to Migrate.
      For those just looking to compare supported configurations, or if it is decided than more planning is needed, you can end the migration process here.
    6. Select the Devices or Device Groups you would like to migrate.
      If you are migrating NGFWs from Panorama for the first time, it is recommended to only migrate non-critical devices or device groups first to test how your configurations will be migrated to Strata Cloud Manager.
      During the migration:
      • Objects are imported to a Snippet and attached to the Global folder.
      • Policies are imported under the Folder(s) migrated by the workflow.
      • Shared Device Groups are automatically mapped to the All Firewalls Folder.
      After selecting the devices, click Next: Map Templates to Folders.
    7. Map Templates to your newly configured Folders.
      You can choose between two template mapping options:
      • Auto Template Mapping: Automatically associate template and template stack configurations with folders after migration to snippets. This feature eliminates the need for manual configuration mapping and reduces the iterative process that you typically face during the migration workflow.
        Strata Cloud Manager processes the entire Panorama configuration, even when you only select a subset of device groups for migration. This comprehensive analysis prevents issues in subsequent device group migrations; however, it may extend the processing time for the initial migration.
      • Manual Template Mapping: Manually associate template and template stack configurations with folders after migration to snippets.
      • During migration, Device Groups are transformed into folders, while templates and template stacks are converted into configuration snippets.
      • If two or more Device Groups reuse the same template, elevate it to a higher folder. If only one site requires it, keep it at the site level.
      Here is the procedure to manually associate templates:
      1. Select a Device Group to reveal the Templates/Template Stacks used by that device group.
      2. Edit the mapping to assign each Template/Template Stack to a Folder.
      3. Elevate templates referenced in multiple places to higher folders.
        For example, if you have global template settings, mapping them to the All Firewalls folder establishes those settings as the source of truth for all NGFWs.
      4. After assigning more than one Snippet to a Folder, adjust the order.
      5. Move Up or Move Down to finalize the order.
      6. Update the order.
      7. Save the new order.
        Before moving on to the next step, ensure the following:
        • No unassigned templates or template stacks remain.
        • Any templates referenced by multiple device groups have been elevated to the proper folders.
    8. Click Next: Prepare Migration.
      The migration process begins.
      Wait for all steps to be completed.
      If there are any issues with the migration, return to the previous steps to evaluate and make changes. If issues continue to persist, please contact Palo Alto Networks Support.
    9. Prepare to migrate.
      1. Load Configuration to Strata Cloud Manager to prepare to migrate.
        1. The migration worfklow:
          • Translates Devices and Device Groups and Templates and Template Stacks to Folders and Snippets using the mappings and snippets order defined by you.
          • Creates a Strata Cloud Manager snapshot to enable rollback of staged changes.
          • Checks for conflicts in existing Strata Cloud Manager configurations (name collisions, missing references, 31-character limits, RBAC scope).
          • Builds the staged configuration that will be in Strata Cloud Manager post-load.
      2. Load Results and review what objects, policies, or snippets were created, updated, or skipped.
      3. Review the Validation Results for any errors, warning, and informational messages post migration.
      4. Click Next: Review Config Diffs.
        This commits the newly generated configuration to Strata Cloud Manager.
    10. Review the configuration diffs.
      When reviewing your configuration diffs, you may notice that secret keys or passwords appear as Modified. This is expected behavior. Because Strata Cloud Manager uses a different Master Key than your Panorama instance, the encrypted string representing the key changes during the translation process. The underlying plaintext key remains exactly the same, and no action is required.
      1. In the left folder tree, expand to the Folder and select an NGFW serial number to be validated
      2. Browse File and choose the TSF for the selected serial number.
        Uploading the TSF for the chosen NGFW will allow you to properly validating all the supported, partially supported, and unsupported configurations.
        Strata Cloud Manager categorizes configuration diffs into three groups:
        • Modified/Missing: Represents changes to existing objects during the migration process. It can be items with changed values or missing object references.
        • Unsupported: Represents items that cannot be migrated due to feature parity gaps between Panorama and Strata Cloud Manager, detected using predefined parity checks.
        • Informational: Represents changes where object functionality remains the same but names or references have been automatically updated to comply with Strata Cloud Manager naming conventions. For example, profile names.
        Be sure to look for anything that has been created, modified, or deleted. Configurations being trimmed should not come as a surprise. You can use the search functionality to locate specific configuration elements by name, object type, or difference category, streamlining the review process for migrations with extensive configuration differences.
        Because of naming conventions in Strata Cloud Manager, some long names will be compressed when needed.
      3. Review the configuration diff panes.
        1. Green Panes: Created or added. They are present in Strata Cloud Manager, but not on the original device.
        2. Red Panes: Deleted or trimmed. May not be supported in Strata Cloud Manager, but are on the device.
        3. Yellow Panes: Modified.
        The diff view may be extensive, limited to one NGFW at a time, and calculated from the last pushed XML from the TSF.
      4. Verify the diffs for representative devices from each pattern or site type.
      5. (Optional) Export the diff results.
      6. (Optional)Regenerate Diffs if any corrections have been made.
      7. Click Next: Confirm and Finish.
    11. Confirm and finish your migration of configurations to Strata Cloud Manager.
      The migration tool does not onboard your NGFWs! You must still onboard your NGFWs to Strata Cloud Manager.
      Now that your Panorama configurations are Strata Cloud Manager, ready for device onboarding and pushes performed from SCM.
      With the configuration migration complete, review the available documentation for onboarding and managing NGFWs in Strata Cloud Manager.
      1. Ensure the results from Steps 8 and 9 are accepted.
      2. Confirm the migration.
        This officially marks the migration as complete.
      3. (Optional) To revert the configuration to its pre-migration state at any point, select Revert. This initiates a rollback workflow, restoring Strata Cloud Manager to a Snapshot taken before the migration was loaded.
      4. (Optional) To cancel the migration at any point, select Cancel Migration. This aborts the migration process and cleans up any temporary changes.

    Post-Migration

    After confirming the configuration migration in the tool, the configuration is staged in Strata Cloud Manager but has not yet been pushed to your NGFWs. The NGFWs are still managed by Panorama, now you must onboard them to Strata Cloud Manager to proceed with cloud management.
    To complete the transition to Strata Cloud Manager, you must perform pre-onboarding checks, onboard your NGFWs to Strata Cloud Manager, and execute a configuration push.

    Onboard NGFWs to Strata Cloud Manager

    You must onboard your NGFWS to Strata Cloud Manager to transfer management authority from Panorama to the cloud. You can migrate devices in phases (for example, by device group or site). For detailed steps on associating devices and configuring connectivity, see Onboard to Strata Cloud Manager.
    General Onboarding Guidelines
    • Associate Devices: Ensure all firewalls are associated with your Strata Cloud Manager tenant.
    • Move to Cloud Management: Use the Strata Cloud Manager onboarding workflow to move the device to Cloud Management.
    • Verify Placement: Confirm that the device shows a Connected status in Strata Cloud Manager and appears under the correct intended Folder.

    First Push and Validation

    Once devices are onboarded and connected, you must push the staged configuration from Strata Cloud Manager to enforce policies.
    Once you have pushed the staged configuration, validate:
    • Commit success.
    • Session health and traffic flow.
    • Interface, virtual router, and HA status.
    • Log forwarding to Strata Logging Service.
    Once you have validated your push, take screenshots of the connected state and successful push for your validation report.

    Rollback Readiness

    If critical issues arise during the pre-onboarding or onboarding phases, you can revert Strata Cloud Manager to its state prior to the migration.
    Use Configuration: Config Version Snapshots to load the pre-migration-snapshot created by the tool. This reverts the staged Strata Cloud Manager configuration but does not push changes to devices.

    Migrate from Panorama to Strata Cloud Manager (Prisma Access)

    Learn about the migration process for migrating your Prisma Access deployments from Panorama to Strata Cloud Manager.
    If you have an existing Prisma Access Deployment for which the configuration is managed by Panorama and want to migrate to Strata Cloud Manager for configuration management, Palo Alto Networks offers an in-product workflow that lets you migrate your existing Prisma Access configuration to Strata Cloud Manager.
    To enable migration workflow, you must contact your Palo Alto Networks account team.
    Managing your Prisma Access configuration using Strata Cloud Manager instead of Panorama can offer you benefits such as:
    • Continuous best practice assessments
    • Secure default configurations
    • Machine Learning (ML)-based configuration optimization
    • Streamlined web security workflows
    • An interactive visual summary (Command Center) that helps you to assess the health, security, and efficiency of the network
    • Intuitive workflows for complex tasks
    • Simple and secure management APIs
    • Cloud-native architecture provides scalability, resilience, and global reach
    • No hardware to manage or software to maintain

    Migrate to Prisma Access (Managed by Strata Cloud Manager)

    To migrate Prisma Access (Managed by Panorama) to Strata Cloud Manager, see Migrate Prisma Access from Panorama to Strata Cloud Manager

    © 2026 Palo Alto Networks, Inc. All rights reserved.