This article can assist you in importing the policies of an existing Palo Alto Networks firewall into Panorama.
You have a configuration on your Palo Alto Networks firewall.
An instance of Panorama is up and running with the same version of PAN-OS (or higher).
You have Web and CLI administrator access to both the firewall and Panorama.
The firewall has been configured to connect Panorama in Device > Setup > Management > Panorama Settings
The firewall's serial number has been added to Panorama and a Panorama commit has been completed
Panorama shows that the firewall is connected in Panorama > Managed Devices
On the Panorama, navigate to Panorama > Setup > Operations
Click "Import device configuration to Panorama."
Select the appropriate device and name the template and Device Group Name accordingly. For each virtual system (vsys) on the firewall, Panorama automatically creates a device group to contain the policy and object configurations.
Once you click “OK” the configuration of the firewall will be imported to the Panorama.
Push the imported configuration back to the firewall
On the Panorama, navigate to Panorama > Setup > Operations.
Click on "Export or push device config bundle."
Choose either "Push & Commit" or "Export."
Push & Commit.This option will overwrite any local configuration on the firewall with the firewall configuration stored on the Panorama. This will succeed where a normal commit will generate errors associated with objects and rules existing both in Panorama and the firewall.
When you choose "Push & Commit" you will see a job triggerred on the Panorama and will see Job Status details as shown below: Export: This option will export the configuration to the firewall but not load it. You should manually load the configuration from the CLI by running the command "load device-state." Then the configuration should be committed. When you choose "Export" option you will see a job triggered on the Panorama and see details as shown below:
Note: The above two options, ("Push & Commit" & "Export") are available only for firewalls running PAN-OS 6.0.4 and later releases.