https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-move-firewall-to-new-panorama/ta-p/570874 <DIV class="lia-message-template-content-zone"> <P data-unlink="true"><SPAN>This Nominated Discussion Article is based on the post "</SPAN><STRONG><A href="https://live.paloaltonetworks.com/t5/general-topics/move-firewall-to-new-panorama/m-p/539747" target="_self">Move Firewall to New Panorama</A>&nbsp;</STRONG><SPAN>" by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167427">@securehops</a>&nbsp;&nbsp;and answered by Cyber Elite&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a>.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Hi All,</P> <P><BR />We currently have 2 Panoramas (virtual) managing different firewalls..&nbsp; We'd like to move all firewalls to 1 pano, so we can retire the other one.&nbsp; &nbsp;What's the best/safest way to accomplish that?&nbsp; Is there a way to avoid having duplicate objects while migrating or would it be a cleanup effort after the fact.&nbsp; &nbsp;It's a mix of standalone firewalls and HA (active/passive) firewalls.&nbsp; &nbsp;These are all in production, so concerned about downtime.</P> <P>&nbsp;</P> <P>I know there is a process to import standalone firewalls into panorama, but these firewalls are already managed by pano.</P> </BLOCKQUOTE> <P>Response:&nbsp;</P> <P>&nbsp;</P> <BLOCKQUOTE> <P>Thank you for the excellent info.&nbsp; Let me answer your 2 questions 1st:</P> <P>&nbsp;</P> <OL> <LI>You do not have to move all of the config locally.&nbsp; You can import the device configuration (including Shared) and templates into the new Panorama using "load config partial mode merge".&nbsp; This would be preferred because moving all the config locally can make it difficult to move partial Network and Device configuration to Panorama.</LI> <LI>It can definitely be phased over 1 NGFW at a time.&nbsp; If you are using template variables, make sure you manually configure those after the NGFWs are moved to Panorama.</LI> </OL> <P>Expedition makes some things easier, but it does take time to install and learn.&nbsp; Unless you have a LOT of objects, I probably would not.&nbsp; Instead, I would do the following:</P> <P>&nbsp;</P> <OL> <LI>As much as possible, I would change the object names on the old to match the new.&nbsp; Definitely have Automated Commit Recovery enabled before you do this.&nbsp; Make sure the device group and template names are different!</LI> <LI>Rename your zones on the old Panorama to match the new.&nbsp; This is tricky.&nbsp; After the rename, create the old zones again in the templates so that the push does not fail on the managed device.&nbsp; After the push is successful, delete the old zones.</LI> <LI>Rename your shared objects before the migration.&nbsp; It will be easier to standardize the names before the migration because you can just rename and not have to swap objects inside the policies.&nbsp; Otherwise, Expedition makes the rename/swap easier.</LI> <LI>When you migrate a NGFW, aim for a like-for-like configuration.&nbsp; Don't adjust the templates or device groups on the new Panorama until all the devices are moved.</LI> </OL> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> </BLOCKQUOTE> </DIV> Tue, 26 Dec 2023 17:06:17 GMT JayGolf 2023-12-26T17:06:17Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-move-firewall-to-new-panorama/ta-p/570874 <P><SPAN>This Nominated Discussion Article is based on the post "</SPAN><STRONG><A href="https://live.paloaltonetworks.com/t5/general-topics/move-firewall-to-new-panorama/m-p/539747" target="_self">Move Firewall to New Panorama</A>&nbsp;</STRONG><SPAN>" by&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167427">@securehops</a>&nbsp;&nbsp;and answered by Cyber Elite&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/77347">@TomYoung</a></SPAN></P> Tue, 26 Dec 2023 17:06:17 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-move-firewall-to-new-panorama/ta-p/570874 JayGolf 2023-12-26T17:06:17Z https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-move-firewall-to-new-panorama/tac-p/570885#M692 <P>Thanks <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/220841">@JayGolf</a> !</P> <P>&nbsp;</P> <P>Check out the post in the link above or below.&nbsp; <A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167427" target="_blank">@securehops</A> has posted 5 "load config partial" commands that we used!</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/general-topics/move-firewall-to-new-panorama/m-p/539747" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/move-firewall-to-new-panorama/m-p/539747</A></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Tue, 26 Dec 2023 17:47:34 GMT https://live.paloaltonetworks.com/t5/general-articles/nominated-discussion-move-firewall-to-new-panorama/tac-p/570885#M692 TomYoung 2023-12-26T17:47:34Z