: Migrate to a Flexible VM-Series License
Focus
Focus

Migrate to a Flexible VM-Series License

Table of Contents
End-of-Life (EoL)

Migrate to a Flexible VM-Series License

Migrate from a model-based license to flexible Software Next Generation firewall credits.
You can migrate your VM-Series firewall perpetual or ELA license to a flexible VM-Series firewall license (funded using Software NGFW credits). You can switch the license on an individual firewall or on multiple firewalls simultaneously from Panorama.
If the license you want to switch is for a VM-Series firewall with and ELA or perpetual license, you must choose Fixed Models and use the same VM-Series model and number of vCPUs when you create the SW NGFW deployment profile for the flexible license. For example, if you are currently using a VM-100 with 2 vCPUs, when you create the deployment profile, select Fixed Models, select VM-100, and specify 2 vCPUs. As long as the capacity is the same, you can add new services.
Complete one of the following procedures to migrate your licenses.
  • Firewall can access the CSP—Migrate a license on a standalone firewall
    This process does not disrupt traffic moving through the firewall.
    1. Log in to the VM-Series firewall web interface.
    2. Verify the Palo Alto Networks update server configuration.
      1. Select DeviceSetupServices.
      2. Confirm that Update Server is set to updates.paloaltonetworks.com.
      3. Confirm that Verify Update Server Identity is selected.
    3. Log in to the CSP and Create a Deployment Profile. If the license you want to migrate is for a VM-Series firewall with an ELA or perpetual license, you must choose Fixed Models and use the same VM-Series model and number of vCPUs when you create the SW NGFW deployment profile for the flexible license.
      You will use the auth code from this profile. An auth code for a flexible firewall license begins with the letter D, as shown below.
      1. Select DeviceLicenses.
        If the current VM-Series model and the VM-Series model you are migrating to are different, select the Upgrade VM Capacity link.
        If the VM-Series model is the same before and after migration, select the Activate feature using authorization code link.
      2. Enter the VM-Series authorization code from the new deployment profile.
      3. Click OK to confirm the license upgrade.The firewall contacts the Palo Alto Networks update server and consumes the tokens required for your firewall based on the VM-Series model.
    4. Repeat this process for each VM-Series firewall in your deployment.
  • Firewall cannot access the CSP—Migrate a license on an offline firewall
    1. If necessary, install the license API key on your VM-Series firewall.
    2. Use the CLI to use manual mode to deactivate the fixed-model license.
    3. deactivate-vm.html#ideebc09fc-8135-45a0-9c61-51f52a0e9124 using the manual procedure, and log in to the CSP and use the token file to deactivate the VM.
    4. In the CSP, Create a Deployment Profile with the same VM-Series model, number of vCPUs, and security subscriptions as the old fixed model license. You will use the auth code from this profile.
    5. Select the new profile and click the vertical ellipsis and select Register Firewall.
      1. Enter the VM and firewall information and select Submit. This associates the firewall with the profile and its authcode and assigns a serial number.
      2. Click View Devices to see associated devices in Software NGFW Devices.
      3. In the License column, download the license keys to a location from which you can safely transfer the files to the host machine.
    6. On the firewall select DeviceLicenses.
      License keys must be installed through the web interface. The firewall does not support license key installation through SCP or FTP.
    7. Click Manually Upload License and enter the license keys.
    8. Confirm that the Dashboard displays a valid serial number and that the PA-VM license displays in the DeviceLicenses tab.
    9. (optional) Verify the migration.
  • Panorama can access the CSP—Migrate licenses on Panorama managed firewalls.
    1. Before you begin, ensure that you install a License API key on the firewall.
    2. Log in to the Panorama web interface.
    3. Verify the Palo Alto Networks update server configuration for the firewalls.
      1. Select DeviceSetupServices.
      2. Confirm that Update Server is set to updates.paloaltonetworks.com.
      3. Confirm that Verify Update Server Identity is selected.
    4. Create a Deployment Profile for the new license if you have not done so already. This profile is required to generate the new authorization code for the migrated Panorama.
    5. Retrieve the VM-Series authorization code. A firewall authorization code for a flexible license begins with the letter D, as shown below.
    6. Apply the new authorization code.
      1. Select PanoramaDevice DeploymentLicenses and Activate.
      2. Enter your VM-Series authorization code.
      3. Use the filters to select the managed firewalls to be licensed.
      4. Enter your authorization code in the Auth Code column for each firewall.
      5. Activate to confirm the license upgrade. Panorama contacts the Palo Alto Networks update server and consumes the tokens required for your firewalls based on the VM-Series model, vCPUs, and services you have chosen.
    7. (optional) Verify the migration.
  • Panorama cannot access the CSP—Migrate licenses on offline Panorama managed firewalls
    1. Before you begin, ensure that you install a License API key on the firewall.
    2. deactivate-vm.html#idb85de4c1-8e91-4180-9b78-bd9f3aa67425 using the manual procedure, and log in to the CSP and use the token file to deactivate the VM.
    3. In the CSP, Create a Deployment Profile with the same VM-Series model, number of vCPUs, security subscriptions, and Panorama as the fixed model license. You will use the auth code from this profile.
    4. Select the new profile and click the vertical ellipsis and select Register Firewall.
      1. Enter the VM and firewall information and select Submit. This associates the firewall with the profile and its authcode and assigns a serial number.
      2. Click View Devices to see associated devices in Software NGFW Devices.
      3. In the License column, download the license keys to a location from which you can safely transfer the files to the host machine.
    5. Apply the new authorization code.
      1. Select PanoramaDevice DeploymentLicenses and click Activate.
      2. Use the filters to select the managed firewalls to be licensed.
      3. Enter your authorization code from your deployment profile in the Auth Code column for each firewall.
      4. Click Activate to confirm the license upgrade. Panorama contacts the Palo Alto Networks update server and consumes the tokens required for your firewalls based on the VM-Series model, vCPUs, and services you have chosen.
    6. (optional) Verify the migration.
  • Verify the migration
    1. Check the license expiration date to verify the license updated successfully.
    2. Verify that all subscriptions enabled in your deployment profile are applied to your device.
    3. On the CSP, verify the expected number of credits allocated and credits consumed against your credit pool match.
    4. On the CSP, verify that the associated tokens or quantity of licenses have been returned to your previous auth code.