cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

Cyber Elite
Cyber Elite

Thank you for posting question @jdemares

 

Based on what you have written I assume you are planning to migrate to standalone M-200 with no HA nor dedicated log collector. If my assumption is incorrect, please comment as this affects the answer.

 

I would proceed with the following steps:

 

  • Perform the initial configuration of M-200: Configure management interface IP address/Hostname/DNS Server/Time Zone/password, add license, upgrade to target PAN-OS, install latest: Applications and Threats / Antivirus packages. By default Panorama comes up in: "Panorama Mode" which allows you to run it as local log collector.
  • Go to M-100 and navigate to: Panorama > Setup > Operations, then click on "Save named Panorama configuration snapshot", enter a name to identify the configuration, and click OK. Then click on "Export named Panorama configuration snapshot", select the name of the configuration you just saved, and click OK. Panorama exports the configuration to your PC as an XML file. Then go to M-200 and navigate to: Panorama > Setup > Operation, then click on "Import named Panorama configuration snapshot", browse to the configuration file you exported from the M-100 appliance and click OK. Then click on "Load named Panorama configuration snapshot", select the name of the configuration you just imported, and click OK. Panorama overwrites its current candidate configuration with the loaded configuration. Panorama displays any errors that occur when loading the configuration file. Since, M-200 has different hardware/interfaces you might have to manually adjust xml file exported from M-100 to match M-200 configuration. I would recommend to export configuration from M-200 and M-100 and compare it side by side, then manually adjust xml that is going to be loaded to M-200. The final step is to Commit > Commit to Panorama.
  • Set up local log collector by following this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMTXCA4
  • If you did not run into any issue by following the above steps, then at this point I would move one of the M-100 managed Firewall to new M-200. The actual process is easy. On the Firewall side, navigate to: Device > Setup > Panorama Settings > [M-200 Management interface IP address]. On the M-200 side, navigate to: Panorama > Managed Devices > Summary > Add: [Serial Number]. Then add Firewall to relevant Device Group and Template Stack. Also add Firewall to log collector you created in previous step under: Panorama > Collector Group > [log collector name] > Device Log Forwarding > Add > [Select Firewall and corresponding log collector], then go to Commit > Push to Devices > Edit Selection > Collector Groups > OK > Push.
  • After completing the above step, you should see Firewall to come online under: Panorama > Managed Devices > Summary. Note: PAN-OS of the Firewall has to be the same or lower than M-200. At this point Firewall will report that "Shared Policy" is "Out of Sync". Try to push the configuration to Firewall by going to: Commit > Push to Devices > Edit Selection > [Select Firewall] > Push Device Groups and Templates. If this step is successful, you should see the "Shared Policy" as "In Sync".
  • As a next step, I would confirm that logs are being sent by Firewall and searchable in Panorama. If you do not see any logs to come, make sure you see log collector IP address under: "show logging-status" and "show log-collector preference-list". If you do not get desired output restart management process.
  • If you have not hit any issue with first Firewall for configuration pushing as well as logging at this point I would consider to migrate rest of the Firewalls to M-200.
  • If you still need old logs from your original M-100, there are several ways to proceed with log migration. One way could be to turn your M-100 to: logger mode, then add it to M-200 as log collector. Note: M-100 can run PAN-OS version up to 9.1. There is recommendation that Panorama as well as log collector should run the same version, however based on documentation log collector can run lower version which might be functional if your M-200 is running PAN-OS 10.X. The actual process to configure this is fairly straightforward, you will have to turn M-100 into logger: "request system system-mode logger" then "set deviceconfig system panorama-server <IP address of M-200>". The rest of the details can be referred from: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-log-collection/configure-a-man...
  • If the above step is successful, then you can still search old M-100 logs from dashboard of M-200, however I would use this only as a temporary solution until you finally retire M-100.

Disclaimer: I am planning myself to proceed with Panorama migration in next year (Issue with delivery time), however to be honest I have not done exactly the same migration myself. As with every project, I come across unexpected issue or later when project is completed I realize that I could have done it differently or I discover better way, so do not blame me if some steps are not working as expected 🙂 If you get stuck or need more information do not hesitate to comment.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
Who rated this post