Migrate model FW to virtualwith panorama for policies (recommended procedure)

BigPalo — Sun, 07 Dec 2025 22:31:24 GMT

Hi,

We have to migrate a standalone PA-820 to a cluster VM500. The config will be the same except few interface changes. Only security policies are deployed from panorama (not template). So what is recommended way to do It?

Which option is better:
1) export existing device state fw to the VM FW?
2) export/import just the running config. Do some interfaces changes and add the devices in panorama and assing device goup

REcommended way?

Re: Migrate model FW to virtualwith panorama for policies (recommended procedure)

kiwi — Tue, 09 Dec 2025 13:28:24 GMT

Hi @BigPalo ,

In my opinion the best method—especially since you are moving to a different platform and integrating it with Panorama—is a modified version of option 2.

This would be my approach:

Export the Running Configuration: Log into your standalone PA-820 and export the running-config.xml file. I would not export the device state, as it carries hardware-specific details that will break the VM-500's configuration.
Manually Edit the XML: This is the most crucial step due to the hardware difference.
- Use a text editor (like Notepad++) to manually Find/Replace the old PA-820 physical interface names (e.g., ethernet1/1, ethernet1/2) with the corresponding virtual interface names of the M-500 (e.g., the standard VMXNet3 interface names).
- If you are moving to a cluster, you may need to adjust or remove the old HA configuration entries from the PA-820 configuration to prevent immediate conflicts.

Basic VM Setup: Deploy the VM-500, ensure it's running the same or newer PAN-OS version as the PA-820, and retrieve its licenses. Configure only the management interface so you can access the GUI.
Import Configuration: Import the edited running-config.xml file onto the VM-500 (Import named configuration snapshot).
Local Commit and Clean-up: Load and commit the imported config on the VM-500. The commit will likely fail due to residual interface or HA discrepancies. Fix these errors locally on the VM-500 until a commit succeeds. This stabilizes the objects and NAT rules.

Register to Panorama: Add the VM-500 serial number to Panorama's list of managed devices.
Template Assignment: Assign the VM-500 to the correct Device Group (this pulls the Security Policies you already manage) and to a Template Stack designed for your VM-500 cluster (this will manage interfaces, zones, HA, etc.).
Final Push: Perform a Force Push of the Device and Network Templates from Panorama. This final push overwrites all Network/Device settings you imported locally, ensuring the VM-500's identity is clean, standardized, and fully managed by Panorama.

In my opinion option 1 (Export Device State) is more suited for identical hardware replacement. Migrating a device state from a physical firewall to a virtual VM architecture often introduces hardware and system file mismatches that can lead to persistent, difficult-to-troubleshoot commit failures and instability on the VM-500.

Hopethis helps,

Kim.

topic Migrate model FW to virtualwith panorama for policies (recommended procedure) in General Topics

Migrate model FW to virtualwith panorama for policies (recommended procedure)

Re: Migrate model FW to virtualwith panorama for policies (recommended procedure)