Focus

Panorama Administrator's Guide

Migrate from an M-500 Appliance to an M-700 Appliance

Table of Contents

Migrate from an M-500 Appliance to an M-700 Appliance

Migrate the Panorama™ management server configuration from an M-500 appliance to an M-600 appliance.

You can migrate the Panorama configurations, managed firewalls, and log collectors from an M-500 appliance to an M-700 appliance. You can migrate Panorama configurations between the appliances when both the appliances are running the same PAN-OS version. However, the M-500 appliance supports up to PAN-OS version 10.1, while the M-700 appliance requires at least PAN-OS version 10.2.

To migrate the Panorama configurations across appliances with different PAN-OS versions, you must use an intermediate virtual appliance that supports both versions, and perform the migration in the following two phases:

First, migrate the configurations from the M-500 appliance to the intermediate Panorama virtual appliance. For more information about migrating an M-Series appliance to a Panorama virtual appliance see, Migrate from an M-Series Appliance to a Panorama Virtual Appliance.
Next, upgrade the intermediate Panorama virtual appliance to a preferred PAN-OS version, and migrate the configurations from the intermediate Panorama virtual appliance to the M-700 appliance running the same preferred PAN-OS version. For more information about migrating a Panorama virtual appliance to an M-Series appliance, see Migrate from a Panorama Virtual Appliance to an M-Series Appliance.

Ensure that all the Log Collectors in the Collector Group are the same Panorama model. For example, if you want to add the local Log Collector on the new M-700 appliance to a Collector Group, the target Collector Group must contain only M-700 appliances. The same is true for the local Log Collector for an M-700 appliance.

This procedure assumes you are no longer using the M-500 appliance for device management or log collection. If you intend to continue using the M-500 appliance as a log collector, you must get a device management license for the M-500 appliance. Without a device management license, you cannot use the M-500 appliance as a log collector.

If you do not plan to use the M-500 appliance as a log collector, but the M-500 appliance contains log data that you must access at a later date, use the Panorama web interface to query and generate reports using the existing log data. Palo Alto Networks recommends reviewing the log retention policy before decommissioning the M-500 appliance.

Policy rule usage data is not preserved when you migrate to a different Panorama model. This indicates that all the existing policy rule usage data from the old Panorama model is no longer displayed after you migrate to a new Panorama model. After a successful migration, Panorama begins tracking policy rule usage data based on the date the migration was completed. For example, the Created date displays the date the migration was completed.

Plan the migration.
- Ensure that both the M-500 appliance and the intermediate Panorama virtual appliance are running the same PAN-OS version. Upgrade the M-700 appliance to a recommended supported PAN-OS version.
  In the second phase of the migration, before migrating the configurations from the Panorama Virtual appliance to the M-700 appliance, you must upgrade the Panorama virtual appliance to the same PAN-OS version that is running on the M-700 appliance. For important details about software versions, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
- Ensure that the M-500 appliance, the intermediate Panorama virtual appliance, and the M-700 appliance are on the same system mode.
- Schedule a maintenance window for the migration. Firewalls can buffer logs after the M-500 appliance goes offline and then forward the logs after the M-700 appliance comes online. However, completing the migration during a maintenance window ensures that the logs do not exceed the buffer capacities and are not lost during the transition between the Panorama models.
Purchase the new M-700 appliance, and migrate your subscriptions to the new appliance.
1. Purchase the new M-700 appliance.
2. Purchase the new support license and migration license.
3. When purchasing the new M-700 appliance, provide your sales representative with the serial number and device management auth-code of the M-700 appliance that you are phasing out, and the date when you expect your migration. After you receive the M-700 appliance, register it and activate the device management and support licenses by using the migration and support auth-codes from Palo Alto Networks. On the migration date, the device management license on the M-500 will be decommissioned, preventing you from managing devices or collecting logs using the M-500 appliance. However, the support license is preserved and the Panorama appliance remains under support. You can complete the migration after the effective date, but you will not be able to commit any configuration changes on the decommissioned M-500 appliance. Palo Alto Networks allows up to a 90 day migration grace period when migrating between M-Series appliances. Contact your Palo Alto Networks sales representative for more information about your migration.
Obtain and apply an evaluation or temporary license on the intermediate Panorama virtual appliance.
1. Log in to the Palo Alto Networks Customer Support Portal.
2. Select AssetsDevicesRegister New Device.
3. In the Device Type window, select Register device using Serial Number or Authorization Code, and click Next.
4. To activate the Panorama software, enter the serial number you received in the Request for Software Evaluation Approved email.
5. If you plan to use the Panorama software offline, select Device will be used Offline, and enter the required information.
6. Review the EULA and Support Agreement.
7. If you agree, click Agree and Submit.
8. After successful registration, the Assets screen displays the newly registered and activated Eval Panorama.
Perform the initial setup of the intermediate Panorama virtual appliance. For details, see Perform the initial setup of the Panorama virtual appliance.
Edit the M-500 interface configuration to use only the management interface.

The Panorama virtual appliance supports only the management interface for device management and log collection.
1. Log in to the Panorama web interface of the M-Series appliance.
2. Select PanoramaSetupManagement.
3. Edit the General Settings, modify the Hostname, and click OK.
4. Select PanoramaSetupInterfacesManagement interface, and enable the required services.
5. Disable the services for the other interfaces.
6. Select CommitCommit to Panorama.
Export the Panorama configuration from the M-500 appliance.
1. Log in to the Panorama web interface.
2. Select PanoramaSetupOperations.
3. Click Save named Panorama configuration snapshot, enter a Name to identify the configuration, and click OK.
4. Click Export named Panorama configuration snapshot, select the Name of the configuration you just saved, and click OK.
  Panorama exports the configuration to your client system as an XML file.
Load the Panorama configuration snapshot that you exported from the M-500 appliance into the Panorama virtual appliance.

The Panorama Policy rule Creation and Modified dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universally unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
The Creation and Modified for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
1. Log in to the Panorama web interface of the Panorama virtual appliance.
2. Select PanoramaSetupOperations.
3. Click Import named Panorama configuration snapshot.
4. Browse for the configuration file you exported from the M-500 appliance, and click OK.
5. Click Load named Panorama configuration snapshot, and select the Name of the configuration you just imported.
6. Select a Decryption Key (the master key for Panorama) and click OK.
7. Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file. If errors occur, save the errors to a local file. Resolve each error to ensure the migrated configuration is valid.
Log in to the Panorama web interface of the M-700 appliance, select PanoramaSetupInterfaces, and verify that the IP address on the management interface is different from the IP address of the M-500 appliance.
This is to ensure that the connectivity to the Panorama virtual appliance is not disrupted post commit.
Select CommitCommit to PanoramaValidate Commit to review and resolve any configuration issues. Commit the Panorama configuration.
Upgrade the intermediate Panorama virtual appliance to the same version installed on the M-700 appliance.
Export the Panorama configuration from the Panorama virtual appliance.
1. Log in to the Panorama web interface of the Panorama virtual appliance.
2. Select PanoramaSetupOperations.
3. Click Save named Panorama configuration snapshot, enter a Name to identify the configuration, and click OK.
4. Click Export named Panorama configuration snapshot, select the Name of the configuration you just saved, and click OK.
  Panorama exports the configuration to your client system as an XML file.
Perform the initial setup of the M-700 appliance. For details, see Perform the initial setup of the M-Series appliance.
Load the Panorama configuration snapshot that you exported from the Panorama virtual appliance to the M-700 appliance.

The Panorama Policy rule Creation and Modified dates are updated to reflect the date you commit the imported Panorama configuration on the new Panorama. The universally unique identifier (UUID) for each policy rule persists when you migrate the Panorama configuration.
The Creation and Modified for managed firewalls are not impacted when you monitor policy rule usage for a managed firewall because this data is stored locally on the managed firewall and not on Panorama.
1. Log in to the Panorama web interface of the Panorama virtual appliance.
2. Select PanoramaSetupOperations.
3. Click Import named Panorama configuration snapshot.
4. Browse for the configuration file you exported from the Panorama virtual appliance, and click OK.
5. Click Load named Panorama configuration snapshot, and select the Name of the configuration you just imported.
6. Select a Decryption Key (the master key for Panorama) and click OK.
7. Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file. If errors occur, save the errors to a local file. Resolve each error to ensure the migrated configuration is valid.
Review the network configuration on the M-700 appliance.
1. (Optional) Log in to the Panorama web interface of the M-500 appliance, select PanoramaSetupOperations, and click Shutdown Panorama.
  Shut down the M-500 appliance if you plan to have the same IP address on both the M-500 and M-700 appliances.
2. Log in to the Panorama web interface of the M-700 appliance, select PanoramaSetupInterfaces, and verify the network configuration on the Management interface to ensure that the connectivity to the M-700 appliance is not disrupted post commit.
3. Ensure that all the interface configurations are set up based on your requirements for the M-700 appliance.
Select CommitCommit to PanoramaValidate Commit to review and resolve any configuration issues. Commit the Panorama configuration.
Generate a new device registration authentication key for managed device connectivity.
1. In the Panorama web interface of the M-700 appliance, select PanoramaDevice Registration Auth Key and Add a new authentication key.
2. Configure the authentication key.
  Name—Enter a descriptive name for the authentication key.
  Lifetime—Enter the key lifetime to specify the duration of the validity of the authentication key.
  Count—Enter the number of devices that will use the authentication key for connecting to Panorama.
  Device Type—Specify whether the authentication key may be used for Firewalls, Log Collectors, or Any device.
3. Click OK.
4. Copy Auth Key and Close.
After you complete the migration, connectivity to the managed firewalls is lost. Recover connectivity to the managed firewalls.
1. Log in to the firewall CLI.
2. Reset the secure connection state.
  
  This command resets the managed device connection to Panorama and is irreversible.
  admin> request sc3 reset
3. Restart the management server on the managed device.
  admin> debug software restart process management-server
4. (Optional) If the IP address of the M-700 appliance is different from the M-500 appliance, update the panorama-server IP address.
  admin> configure admin# set deviceconfig system panorama local-panorama panorama-server <panorama-ip> [panorama-server-2 <panorama-ha-peer-ip>] admin# commit admin# exit
5. Add the device registration authentication key you copied in Step 16.
  admin> request authkey set <auth_key>
6. Verify the managed device connectivity to Panorama.
  admin> show panorama-status
  
  Verify that the IP address of the M-700 appliance appears and the Panorama server Connected status displays yes.
After you complete the migration, connectivity to the managed log collectors is lost. Recover connectivity to the managed log collectors.
1. Log in to the Dedicated Log Collector CLI.
2. Reset the secure connection state.
  
  This command resets the managed device connection to Panorama and is irreversible.
  admin> request sc3 reset
3. Restart the management server on the managed device.
  admin> debug software restart process management-server
4. (Optional) If the IP address of the M-700 appliance is different from the M-500 appliance, update the panorama-server IP address.
  admin> configure admin # set deviceconfig system panorama-server <panorama-ip> [panorama-server-2 <panorama-ha-peer-ip>] admin# Commit admin# exit
5. Add the device registration authentication key you copied in Step 16.
  admin> request authkey set <auth_key>
6. Verify the managed device connectivity to Panorama.
  admin> show panorama-status
  
  Verify that the IP address of the M-700 appliance appears and the Panorama server Connected status displays yes.
Select CommitCommit to PanoramaValidate Commit to review and resolve any configuration issues. Commit the Panorama configuration.
Synchronize the M-700 appliance with the managed devices.
1. Select CommitPush to Devices and Edit Selections.
2. Select all the devices under Device Groups, Templates, and Collector Groups, and click OK.
3. Push your changes.
4. Select PanoramaManaged DevicesSummary, and verify that all the firewalls are connected. Also, verify that the shared policy and template configurations of the firewalls are In sync with Panorama.
5. Select PanoramaManaged Collectors, and verify that the configuration status is In Sync with Panorama, and the health status is Green for all the log collectors.

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Migrate from an M-600 Appliance to an M-700 Appliance