Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-27-2022 09:55 AM
I need to migrate the configuration of a Panorama X to another Panorama Y where I need to split several devices on their own panorama (Y). The plan according to several discussions is to export the config of current panorama X, import into Panorama Y while changing IP address, hostname, etc. This is the step where I am trying to see if it can be done more efficiently, I now plan to change the IP of the Panorama Servers section on the firewall to be the new IP of Panorama Y but my question is, can I for example, set the second field to be Panorama Y IP address, commit the changes, and once I am sure everything is working properly after pushing changes from Panorama Y, I then remove the IP address of Panorama X from the Panorama Servers sections or that could cause issues. Thanks.
03-02-2022 02:13 PM
Thank you for the post @bambox
Exporting configuration from one Panorama and import to new one is from my point of view the easiest way. The only issue you might face is if you try to import configuration to different Panorama model where there are for example different interfaces. In this case, I would just manually edit the configuration file to match target Panorama. Also, I would recommend to have the same PAN-OS version between both Panorama units you are migrating.
For the second part, I am afraid that this will not work. Firewall can be registered only to one Panorama set. For the setting in Firewall under: Device > Setup > Management > Panorama Settings > Panorama Servers, the secondary IP address is for the scenario where Panorama manager is an HA pair. In this case this is where you would configure Panorama standby unit. I do not think you can use this for Panorama migration purpose.
Kind Regards
Pavel
03-02-2022 02:13 PM
Thank you for the post @bambox
Exporting configuration from one Panorama and import to new one is from my point of view the easiest way. The only issue you might face is if you try to import configuration to different Panorama model where there are for example different interfaces. In this case, I would just manually edit the configuration file to match target Panorama. Also, I would recommend to have the same PAN-OS version between both Panorama units you are migrating.
For the second part, I am afraid that this will not work. Firewall can be registered only to one Panorama set. For the setting in Firewall under: Device > Setup > Management > Panorama Settings > Panorama Servers, the secondary IP address is for the scenario where Panorama manager is an HA pair. In this case this is where you would configure Panorama standby unit. I do not think you can use this for Panorama migration purpose.
Kind Regards
Pavel
03-03-2022 12:48 AM - edited 03-03-2022 08:20 PM
@bambox wrote:I need to migrate the configuration of a Panorama X to another Panorama Y where I need to split several devices on their own panorama (Y). The plan according to several discussions is to export the config of current panorama X, import into Panorama Y while changing IP address, hostname, etc. This is the step where I am trying to see if it can be done more efficiently, I now plan to change the IP of the Panorama Servers section on the firewall to be the new IP of Panorama Y but my question is, can I for example, set the second field to be Panorama Y IP address, commit the changes, and once I am sure everything is working properly after pushing changes from Panorama Y, I then remove the IP address of Panorama X from the Panorama Servers sections or that could cause issues. Thanks. Subarunet.com Login
Legacy mode is no longer supported in PAN-OS 8.1 or later releases. If the old Panorama virtual appliance is in Legacy mode, you must change Panorama to Panorama mode before migrating to the new hypervisor in order to preserve the log settings and Log Collector forwarding configurations. Importing the configuration of the old Panorama in Legacy mode to a new Panorama in Panorama mode causes all log and log forwarding settings to be removed.
03-04-2022 03:02 PM
Thank you and everyone for sharing your experience. I managed to migrate the configuration with no issues except that unfortunately the configuration file that PAN documentation mentioned in the process does not usually contain Shared objects which has caused commit issues. For everyone trying to migrate in the future, the only file that contains Shared objects is the one in the config bundle, you have to extract it and get the Panorama xml file which contains all configuration including shared objects.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
