Switch From the Legacy PAYG Listing on Public Cloud

Starting with PAN-OS 9.1.2, the VM-Series PAY-As-You-Go (PAYG) offering on public cloud marketplaces (AWS, Azure, and GCP) support the VM-100, VM-300, VM-500, and VM-700 models. The listing applies the VM-Series model depending on the resource availability on the instance type you selected, to ensure optimal utilization of the available resources.
While you can continue to use the instances (of the VM-300) launched from the legacy PAYG listing, if you want to launch new firewalls with the new listing for better resource optimization, use the following instructions to save and export the configuration on your existing firewall, deploy a new firewall using the new PAYG listing, and then restore the configuration on the new firewall.
Instances launched using the legacy PAYG listing are restricted to the VM-300 model, even after upgrading the PAN-OS to 9.1.2 or later. To choose the other supported models, you must launch instances using the current PAYG listing.
If you have an annual subscription with the legacy PAYG listing on AWS, at the end of the subscription period, the listing transitions to an hourly subscription. To avail the annual subscription option, you must use the current PAYG listing, and cannot renew the legacy PAYG listing.
  1. Save a backup of the current configuration file and store it to an external server.
    1. Select
      Device
      Setup
      Operations
      and
      Export named configuration snapshot
      .
    2. Select the XML file that contains your running configuration (for example, running-config.xml) and click
      OK
      to export the configuration file.
    3. Save the exported file to a location external to the firewall.
  2. Deploy a new firewall with the current PAYG listing and register it.
    1. In the AWS, Azure, or Google Cloud Platform Marketplace, select the software image for the PAYG licensing bundle you want to deploy.
    2. Deploy a new VM-Series firewall in the AWS, Azure, or Google public cloud. See Set Up the VM-Series Firewall on AWS, Set up the VM-Series Firewall on Azure, or Set Up the VM-Series Firewall on Google Cloud Platform.
      The VM-Series plugin 1.0.11 or later is required.
  3. On the newly deployed firewall, restore the configuration that you exported.
    1. Access the web interface of the newly deployed firewall.
    2. Select
      Device
      Setup
      Operations
      , click
      Import named configuration snapshot
      , Browse to the configuration file on the external host, and click
      OK
      .
    3. Click
      Load named configuration snapshot
      , select the
      Name
      of the configuration file you just imported, and click
      OK
      .
    4. Click
      Commit
      to overwrite the running configuration with the snapshot you just imported.
    5. Verify that the configuration on the new firewall matches the firewall that you are replacing, before you delete the firewall or deactivate the licenses on the replaced firewall.
  4. Update any route table entries on the cloud platform to point the traffic to the newly deployed firewall.

Recommended For You