12-07-2025 02:31 PM
Hi,
We have to migrate a standalone PA-820 to a cluster VM500. The config will be the same except few interface changes. Only security policies are deployed from panorama (not template). So what is recommended way to do It?
Which option is better:
1) export existing device state fw to the VM FW?
2) export/import just the running config. Do some interfaces changes and add the devices in panorama and assing device goup
REcommended way?
12-09-2025 05:28 AM
Hi @BigPalo ,
In my opinion the best method—especially since you are moving to a different platform and integrating it with Panorama—is a modified version of option 2.
This would be my approach:
Export the Running Configuration: Log into your standalone PA-820 and export the running-config.xml file. I would not export the device state, as it carries hardware-specific details that will break the VM-500's configuration.
Manually Edit the XML: This is the most crucial step due to the hardware difference.
Use a text editor (like Notepad++) to manually Find/Replace the old PA-820 physical interface names (e.g., ethernet1/1, ethernet1/2) with the corresponding virtual interface names of the M-500 (e.g., the standard VMXNet3 interface names).
If you are moving to a cluster, you may need to adjust or remove the old HA configuration entries from the PA-820 configuration to prevent immediate conflicts.
Basic VM Setup: Deploy the VM-500, ensure it's running the same or newer PAN-OS version as the PA-820, and retrieve its licenses. Configure only the management interface so you can access the GUI.
Import Configuration: Import the edited running-config.xml file onto the VM-500 (Import named configuration snapshot).
Local Commit and Clean-up: Load and commit the imported config on the VM-500. The commit will likely fail due to residual interface or HA discrepancies. Fix these errors locally on the VM-500 until a commit succeeds. This stabilizes the objects and NAT rules.
Register to Panorama: Add the VM-500 serial number to Panorama's list of managed devices.
Template Assignment: Assign the VM-500 to the correct Device Group (this pulls the Security Policies you already manage) and to a Template Stack designed for your VM-500 cluster (this will manage interfaces, zones, HA, etc.).
Final Push: Perform a Force Push of the Device and Network Templates from Panorama. This final push overwrites all Network/Device settings you imported locally, ensuring the VM-500's identity is clean, standardized, and fully managed by Panorama.
In my opinion option 1 (Export Device State) is more suited for identical hardware replacement. Migrating a device state from a physical firewall to a virtual VM architecture often introduces hardware and system file mismatches that can lead to persistent, difficult-to-troubleshoot commit failures and instability on the VM-500.
Hopethis helps,
Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
