09-16-2020 09:37 AM - edited 09-16-2020 09:39 AM
Hello,
we have an interesting setup, we currently have Panorama in legacy mode at version 9.0.4 (didn't even know it was possible to be in legacy mode on that release) managing a couple of HA pairs of firewalls. We would like to move our config to a Panorama VM in Panorama mode at version 9.1.2 and was looking for some guidance.
For some reason, I am guessing how the VM was originally provisioned, we have no way of editing the resources on our existing Panorama VM, so we cannot upgrade our existing Panorama deployment, but instead need to migrate it to a newly provisioned fresh Panorama VM that we spun up (9.1.2 running in Panorama mode).
Does anyone have any guidance on how to migrate this config? Can we export the config snapshot -> import on the new VM -> and then convert to legacy mode? If this is possible will this lose our log settings in Panorama?
How do we handle this from the licensing perspective?
Once we are on the new VM and have transferred the license, can we still view historical logs as needed on the old Panorama VM?
I have a ticket open with support for guidance as well, but was looking to see what the communities thoughts were.
09-23-2020 05:58 AM
you can't go 'back' to legacy mode once you're in panorama or management-only mode, so you will need to build a log collector on the new panorama instead of relying on the built-in log partition
upside is that you can expand storage way beyond the 2tb limit in legacy mode
you can export and import your config snapshot and you'll be up and running in no time, once the log collector is configured and added to a log collector group, firewalls wil automatically log into the log collector
license wise you can simply copy your serial over to the new VM, you'll need to decommission your old panorama so you don't break your support contract
one caveat is that the new panorama will have the same IPs but different certificates, so you will need to clear the 'known-hosts' file of the panorama IP so the firewall can start trusting the new panorama
> delete authentication user-file ssh-known-hosts user ip <ip>09-23-2020 05:58 AM
you can't go 'back' to legacy mode once you're in panorama or management-only mode, so you will need to build a log collector on the new panorama instead of relying on the built-in log partition
upside is that you can expand storage way beyond the 2tb limit in legacy mode
you can export and import your config snapshot and you'll be up and running in no time, once the log collector is configured and added to a log collector group, firewalls wil automatically log into the log collector
license wise you can simply copy your serial over to the new VM, you'll need to decommission your old panorama so you don't break your support contract
one caveat is that the new panorama will have the same IPs but different certificates, so you will need to clear the 'known-hosts' file of the panorama IP so the firewall can start trusting the new panorama
> delete authentication user-file ssh-known-hosts user ip <ip>
11-16-2020 09:39 AM - edited 11-16-2020 10:57 AM
Hi Tom
I just bought your book!
If you have some time to go over a few questions I have on a Panorama-to-Panorama migration, that would be great!
Thanks
Cliff
11-16-2020 10:18 AM
Hi cliff @cliffgormley Yay!!
I'd love to, but please don't post your phone number to a public forum 😉
You can reach me via reaper@pangurus.com 🙂
07-29-2021 12:36 AM
I am also in almost similar situation, can you please explain how you accomplished it.
Also how you migrated the old log from LEGACY panorama.
Thanks in advacne
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
