Panorama Migration VM - to - VM

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Panorama Migration VM - to - VM

Hello,

 

we have an interesting setup, we currently have Panorama in legacy mode at version 9.0.4 (didn't even know it was possible to be in legacy mode on that release) managing a couple of HA pairs of firewalls. We would like to move our config to a Panorama VM in Panorama mode at version 9.1.2 and was looking for some guidance. 

 

For some reason, I am guessing how the VM was originally provisioned, we have no way of editing the resources on our existing Panorama VM, so we cannot upgrade our existing Panorama deployment, but instead need to migrate it to a newly provisioned fresh Panorama VM that we spun up (9.1.2 running in Panorama mode). 

 

Does anyone have any guidance on how to migrate this config? Can we export the config snapshot -> import on the new VM -> and then convert to legacy mode? If this is possible will this lose our log settings in Panorama?

 

How do we handle this from the licensing perspective?

 

Once we are on the new VM and have transferred the license, can we still view historical logs as needed on the old Panorama VM?

 

I have a ticket open with support for guidance as well, but was looking to see what the communities thoughts were. 


Accepted Solutions
Highlighted
L7 Applicator

you can't go 'back' to legacy mode once you're in panorama or management-only mode, so you will need to build a log collector on the new panorama instead of relying on the built-in log partition

upside is that you can expand storage way beyond the 2tb limit in legacy mode

 

you can export and import your config snapshot and you'll be up and running in no time, once the log collector is configured and added to a log collector group, firewalls wil automatically log into the log collector

 

license wise you can simply copy your serial over to the new VM, you'll need to decommission your old panorama so you don't break your support contract

 

one caveat is that the new panorama will have the same IPs but different certificates, so you will need to clear the 'known-hosts' file of the panorama IP so the firewall can start trusting the new panorama

> delete authentication user-file ssh-known-hosts user ip <ip>
Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post


All Replies
Highlighted
L7 Applicator

you can't go 'back' to legacy mode once you're in panorama or management-only mode, so you will need to build a log collector on the new panorama instead of relying on the built-in log partition

upside is that you can expand storage way beyond the 2tb limit in legacy mode

 

you can export and import your config snapshot and you'll be up and running in no time, once the log collector is configured and added to a log collector group, firewalls wil automatically log into the log collector

 

license wise you can simply copy your serial over to the new VM, you'll need to decommission your old panorama so you don't break your support contract

 

one caveat is that the new panorama will have the same IPs but different certificates, so you will need to clear the 'known-hosts' file of the panorama IP so the firewall can start trusting the new panorama

> delete authentication user-file ssh-known-hosts user ip <ip>
Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!