topic Panorama migration from M-100 to M-200 in Panorama Discussions

Panorama migration from M-100 to M-200

PavelK — Tue, 17 Oct 2023 12:02:05 GMT

Dear Community,

on weekend, I was migrating M-100 to M-200 and though it might be beneficial to share how it went.

Migration scenario:

2x M-100 in HA in Panorama Mode + 2 log collector groups (1 group for M-500 log collectors and 1 group fop M-600 log collectors). The target was to replace 2x M-100 with 2x M-200 with minimum impact and with no other change in configuration or design.

Migration steps:

1.) I installed both M-200 with basic settings (management interface IP address/DNS setting/NTP setting/Time Zone/Hostname), added

support license/device management license and upgraded to the same PAN-OS/Threat & Application/Antivirus version as old M-100.

2.) I exported running configuration from both M-100 and modified both configuration xml files to change management IP address to the one used by M-200 and I changed high-availability encryption from yes to no, then I imported each respective running configuration into both M-200 and loaded the configuration file. While loading the configuration files, I kept all options deselected except of: "Retain rule UUID", then I committed it in both M-200 units. During commit, I got 2 warnings for each log collector group: "Disk 'A' on log collector <S/N> in group <log collector name> has a size of zero bytes".

3.) After the commit was completed, I exported HA key from from each M-200 unit and imported to each other, then I enabled again HA encryption in each unit under: Panorama > High Availability > Setup > Encryption Enabled. After final commit, the HA was functional. I moved on to basic check to make sure all is in place, then I moved to cut over.
4.) For the actual migration, I shut down old M-100 units and changed management interface IP address of each M-200 to be the same as what M-100 was using. I reflected IP address change in HA setting. After I have committed the change, I have seen that all managed Firewalls appeared to be connected with status for Device Group/Template Stack in sync. The only part that did not go according to plan were log collectors. Although the status for all log collectors was connected, the status was "out of sync" with "Ring version mismatch". I was not able to commit the change to log collectors. It was giving me an error: "Config push failed as one or more disks have a size of zero bytes".

5.) To resolve the above issue, I set the log collector group (I used the same name as what was imported from M-100): set log-collector-group <log collector group name>, then I assigned each of the log collector that belong to particular log collector group: "set log-collector-group <log collector group name> logfwd-setting collectors <log collector S/N>". After this change was committed, all log collectors changed status to: "in sync" and I was able to push configuration change to both log collectors, then I was able to see all new logs to come as well as all old logs from all log collectors.

Since, there was no issue with pushing configuration, running reports and log search, I closed the migration with no other issue left to troubleshoot.

I hope this can help others with similar scenario where Panorama manager has to be replaced while log collectors stay in place.

Kind Regards

Pavel

Re: Panorama migration from M-100 to M-200

Nathan_Rohrlach — Thu, 09 Mar 2023 02:11:01 GMT

I had a different scenario for my LCs after upgrading the Panoramas but got the same "Config push failed as one or more disks have a size of zero bytes".

Your step 5 fixed it for me as well. Thanks

Re: Panorama migration from M-100 to M-200

alexander — Tue, 17 Oct 2023 09:29:56 GMT

Hi Kavel,

Do not mind me asking, the support license/device management license uploaded to the new panorama, is it a new license or a migration license obtained from Palo Alto?

Thank you

Regards

Alex

Re: Panorama migration from M-100 to M-200

PavelK — Tue, 17 Oct 2023 12:10:00 GMT

Hello @alexander

thanks for message!

Regarding device management license, when I was ordering M-200, I asked for below migration license which did not cost anything and allowed me to convert existing M-100 device management license to M-200.

PAN-M-200-P-MIG-M100-M200-1K (Panorama license migration from M-100 to M-200, 1K devices)

Regarding support, M-200 came with own support. There was no possibility to make transfer from M-100.

Kind Regards

Pavel

Re: Panorama migration from M-100 to M-200

alexander — Thu, 19 Oct 2023 01:53:07 GMT

Hello Pavel,

Thank you for the reply.

If i get what you are saying, the migration license is only needed if you have some period left and do not intend to buy a new license.

If the new panorama comes with a new set of device management license that should work as well. Also allow me to clarify, once you've switch the management interface from the old panorama to the new panorama, the devices in the managed device summary will automatically show connected am i right?

Thank you

Regards

Alex

Re: Panorama migration from M-100 to M-200

PavelK — Thu, 19 Oct 2023 21:12:03 GMT

Hello @alexander

thank you for reply.

The device management license is perpetual. It does not have any expiration. By using conversion SKU you can save money by not ordering device management license in new Panorama. If you already have device management license in new Panorama, then you do not need to go for conversion.

Regarding second question, the answer is yes. It was smooth. All Firewalls showed up as connected within a minute after management interface change. Please note that I have done this migration with PAN-OS 9.1 that did not have secure onboarding yet.

Kind Regards

Pavel