Upgrade/Move from Panorama Legacy mode to Panorama mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Upgrade/Move from Panorama Legacy mode to Panorama mode

L2 Linker

Hi,


Currently Panorama is in Legacy mode, there 5 devices connected to it, 2 in 2 data centres, one at an office. Templates are configured and synced across devices including device specific templates (like configs and other device management configs). However due to the logging limitations we need to change to Panorama mode. The other temporary alternative of course is to upgrade the disk to 8TB but there is some work to doing this to and I am just thinking it might be better to just bite the bullet and move out of legacy even if it is slightly harder work than resizing the disk.

 

I am trying to find Palo documentation on how to do this or some documentation on the path in which to take to do this but I have not found any. If anyone knows the possible routes to take to do this kind of change or documentation/posts where it has been described I would be very grateful to know about them.

Thanks,

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com
10 REPLIES 10

L4 Transporter

Hi @DanielBostock 

 

Converting a VM to “Panorama” mode mandates meeting the minimum resource requirements:

RAM: 16 GB
Cores: 8
Cloning disk: 81 GB
Storage disks: 2 TB.

Failure to meet this requirement prevents from changing the mode from “legacy” to “panorama”, and the VM defaults to “legacy” mode operation.


Below are the steps we followed to convert our Panorama 8.0.14 from “legacy” mode to “panorama” mode using only the system disk and no virtual logging disk.


Step 1: Issue CLI command (request system system-mode panorama) - This will advise new requirements for Memory, vCPU’s, system disk size.
Step2: Power off Panorama VM.
Step3: Edit Settings and increase memory/vCPU and attach new system disk(SCSI Virtual Device Node).
Step4: Power on Panorama VM.
Step5: Issue CLI command (request system clone-system-disk target sdb).
Step6: Power off Panorama VM.
Step7: Edit Settings and remove original system disk.
Step8: Select the new system disk (Virtual Device Node to SCSI (0:0)).
Step9: Power on Panorama VM.
Step10: Issue CLI command (request system system-mode panorama).

 

Additional reference link:
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/set-up-panorama/set-u...
https://live.paloaltonetworks.com/t5/General-Topics/Panorama-VM-upgrade-to-PANOS-8-0-x-amp-switch-mo...

 

Hey Farzana!


Mate, thanks for jumping in here to help. 


I see this is for version 8.0,xx , however we are currently running on 9.0.4 with Panorama. Also to confirm will there be any loss of data following this mode change process such as logging or templates?

 

Thanks,

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com

No problem @DanielBostock 

 

It should work for that version as well.

 

There were some issues we faced with latency in logging, Or Panorama being sluggish during the upgrade.

In Legacy mode, panorama VM itself cannot act as a local log collector in a collector group.
Panorama it can be configured to manage other dedicated log collectors (M series) in a collector group.and you need to make sure if proper resources are defined based on the number of firewalls being managed.

 

You can use legacy mode for managing firewalls from panorama. But On panorama mode receiving the log is faster than legacy mode. On legacy mode they have some latency in logging on panorama.

> The major difference in these modes is that Panorama supports a local log collector with 1 to 12 virtual disks. More details here: https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/panorama-models.html...


If you want to convert from legacy mode to panorama mode then please follow below document
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/set-up-panorama/set-up-the-panorama-vi...

 

@FarzanaMustafa  - Thanks greatly for all this info mate, I will get onto it this week and do all the necessary steps as per documentation.

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com

@FarzanaMustafa 

 


If you want to convert from legacy mode to panorama mode then please follow below document
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/set-up-panorama/set-u...

Hey mate,

 

This link does not take me to the document, it potentially has been removed, deprecated or maybe renamed?

 

Thanks,

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com

@FarzanaMustafa  - love ya work mate, thanks heaps again!

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com

Hey @FarzanaMustafa - just double checking the document in the first link thats the process for changing Panorama to Log Collector mode. Is there a guide on switching it to Panorama Mode like the older legacy one for 8.0?

Also it would be helpful to know what are the roll back options or ways to ensure a roll back if we completely balls up the upgrade to Panorama mode.

Daniel Bostock | Senior IT Operations Engineer, EML Payments | Blog: https://danielbostock.com

Hi @DanielBostock 

 

These two commands will help.

from Legacy mode to Panorama mode.
> request system system-mode panorama

from Panorama mode to Legacy mode.
> request system system-mode legacy

 

More details on the link below.

https://docs.paloaltonetworks.com/panorama/8-1/panorama-admin/set-up-panorama/set-up-the-panorama-vi...

@FarzanaMustafa 

 

quick question, when you change an active M500 in panorama mode which has a pair of external LC's configured and ALL firewalls send to those LC's (they are 3 Collector groups configured) and you hit the command - request system system-mode management-only will it then stop the Panorama in MGMT mode to stop retrieving logs from the LC to view them in the monitor tab?

  • 27316 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!