Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Migration of Panorama configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migration of Panorama configuration

L1 Bithead

I need to migrate the configuration of a Panorama X to another Panorama Y where I need to split several devices on their own panorama (Y). The plan according to several discussions is to export the config of current panorama X, import into Panorama Y while changing IP address, hostname, etc. This is the step where I am trying to see if it can be done more efficiently, I now plan to change the IP of the Panorama Servers section on the firewall to be the new IP of Panorama Y but my question is, can I for example, set the second field to be Panorama Y IP address, commit the changes, and once I am sure everything is working properly after pushing changes from Panorama Y, I then remove the IP address of Panorama X from the Panorama Servers sections or that could cause issues. Thanks.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Thank you for the post @bambox

 

Exporting configuration from one Panorama and import to new one is from my point of view the easiest way. The only issue you might face is if you try to import configuration to different Panorama model where there are for example different interfaces. In this case, I would just manually edit the configuration file to match target Panorama. Also, I would recommend to have the same PAN-OS version between both Panorama units you are migrating.

 

For the second part, I am afraid that this will not work. Firewall can be registered only to one Panorama set. For the setting in Firewall under: Device > Setup > Management > Panorama Settings > Panorama Servers, the secondary IP address is for the scenario where Panorama manager is an HA pair. In this case this is where you would configure Panorama standby unit. I do not think you can use this for Panorama migration purpose.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Thank you for the post @bambox

 

Exporting configuration from one Panorama and import to new one is from my point of view the easiest way. The only issue you might face is if you try to import configuration to different Panorama model where there are for example different interfaces. In this case, I would just manually edit the configuration file to match target Panorama. Also, I would recommend to have the same PAN-OS version between both Panorama units you are migrating.

 

For the second part, I am afraid that this will not work. Firewall can be registered only to one Panorama set. For the setting in Firewall under: Device > Setup > Management > Panorama Settings > Panorama Servers, the secondary IP address is for the scenario where Panorama manager is an HA pair. In this case this is where you would configure Panorama standby unit. I do not think you can use this for Panorama migration purpose.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L1 Bithead

@bambox wrote:

I need to migrate the configuration of a Panorama X to another Panorama Y where I need to split several devices on their own panorama (Y). The plan according to several discussions is to export the config of current panorama X, import into Panorama Y while changing IP address, hostname, etc. This is the step where I am trying to see if it can be done more efficiently, I now plan to change the IP of the Panorama Servers section on the firewall to be the new IP of Panorama Y but my question is, can I for example, set the second field to be Panorama Y IP address, commit the changes, and once I am sure everything is working properly after pushing changes from Panorama Y, I then remove the IP address of Panorama X from the Panorama Servers sections or that could cause issues. Thanks.  Subarunet.com Login


Legacy mode is no longer supported in PAN-OS 8.1 or later releases. If the old Panorama virtual appliance is in Legacy mode, you must change Panorama to Panorama mode before migrating to the new hypervisor in order to preserve the log settings and Log Collector forwarding configurations. Importing the configuration of the old Panorama in Legacy mode to a new Panorama in Panorama mode causes all log and log forwarding settings to be removed.

Thank you and everyone for sharing your experience. I managed to migrate the configuration with no issues except that unfortunately the configuration file that PAN documentation mentioned in the process does not usually contain Shared objects which has caused commit issues. For everyone trying to migrate in the future, the only file that contains Shared objects is the one in the config bundle, you have to extract it and get the Panorama xml file which contains all configuration including shared objects. 

  • 1 accepted solution
  • 3810 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!