Migrate Panorama 7.1 Configuration to
Panorama 8.0 Configuration
When you upgrade Panorama in your VMware NSX
deployment from 7.1 to 8.0, all your existing configuration is maintained.
However, that configuration will remain in the Operations Centric
formats. Complete the following procedure to migrate your Operations
Centric configuration into Security Centric formats. Do not complete
this procedure if you plan to manage your deployment using Operations
Centric workflows after upgrading to 8.0.
- The VMware NSX plugin is automatically installed upon upgrade to 8.0.
- Update the match criteria format in your dynamic address groups.
- Select and click the link name for your first dynamic address group.
- Delete the existing match criteria entry.
- Enter the new match criteria in the following format:‘_nsx_<dynamic-address-group-name>’
- ClickOK.
- Repeat this process for each dynamic address group.
- Change security policy used as NSX steering rules to intrazone.
- Select and click the link name for your first security policy rule.
- On the General tab, change theRule Typeto intrazone.
- ClickOK.
- Repeat this process for each security policy rule.
- Generate new steering rules.
- Select .
- ClickAuto-Generate Steering Rules.
- Commityour changes.When you commit your changes, Panorama pushes updates to NSX Manager.
- Verify that NSX Manager created new security groups.
- Login to vCenter and select .
- The new security groups (mapped to the updated dynamic address groups) should appear in the following format:<service-definition-name> - <dynamic-address-group-name>
- Verify that NSX Manager created new steering rules.
- Select .
- The new steering rules (mapped to the security policy rules you create on Panorama) are listed above the old steering rules.
- Add match criteria to the newly created security groups to ensure that your VMs are placed in the correct security group.There two ways to complete this task—recreate the match criteria from the old security group in the new security group or nest the old security group within the new security group.To recreate the match criteria from the old security group, complete the following procedure.
- Select .
- Click on a new security group and selectEdit Security Group.
- SelectDefine dynamic membershipand click the plus icon.
- Add the same match criteria in the corresponding old security group.
- Repeat this process for each new security group.
- Delete the old security groups.
To nest the old security group within the new security group, complete the following procedure. In this method, VMs in the old security group are added to the new security group. Additionally, any new VM that meets the criteria of the old security group is automatically added to the new security group.- Select .
- Click on a new security group and selectEdit Security Group.
- SelectSelect objects to include.
- Select theSecurity GroupObject Type.
- Choose the corresponding old security group under Available Objects and move it to Selected Objects by clicking the right arrow icon.
- ClickFinish.
- Delete the old steering rules from vCenter.
- Select .
- Delete the old steering rules. Take care not to delete the Palo Alto Networks rules created by the 8.0 workflow. These steering rule sections use the following naming convention.<service-definition-name> - <dynamic-address-group-name>
