cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

Panorama migration from M-100 to M-200

Cyber Elite
Cyber Elite

Dear Community,

 

on weekend, I was migrating M-100 to M-200 and though it might be beneficial to share how it went.

 

Migration scenario:

2x M-100 in HA in Panorama Mode + 2 log collector groups (1 group for M-500 log collectors and 1 group fop M-600 log collectors). The target was to replace 2x M-100 with 2x M-200 with minimum impact and with no other change in configuration or design.

 

Migration steps:

1.) I installed both M-200 with basic settings (management interface IP address/DNS setting/NTP setting/Time Zone/Hostname), added 

support license/device management license and upgraded to the same PAN-OS/Threat & Application/Antivirus version as old M-100.
2.) I exported running configuration from both M-100 and modified both configuration xml files to change management IP address to the one used by M-200 and I changed high-availability encryption from yes to no, then I imported each respective running configuration into both M-200 and loaded the configuration file. While loading the configuration files, I kept all options deselected except of: "Retain rule UUID", then I committed it in both M-200 units. During commit, I got 2 warnings for each log collector group: "Disk 'A' on log collector <S/N> in group <log collector name> has a size of zero bytes".
3.) After the commit was completed, I exported HA key from from each M-200 unit and imported to each other, then I enabled again HA encryption in each unit under: Panorama > High Availability > Setup > Encryption Enabled. After final commit, the HA was functional. I moved on to basic check to make sure all is in place, then I moved to cut over.
4.) For the actual migration, I shut down old M-100 units and changed management interface IP address of each M-200 to be the same as what M-100 was using. I reflected IP address change in HA setting. After I have committed the change, I have seen that all managed Firewalls appeared to be connected with status for Device Group/Template Stack in sync. The only part that did not go according to plan were log collectors. Although the status for all log collectors was connected, the status was "out of sync" with "Ring version mismatch". I was not able to commit the change to log collectors. It was giving me an error: "Config push failed as one or more disks have a size of zero bytes".
5.) To resolve the above issue, I set the log collector group (I used the same name as what was imported from M-100): set log-collector-group <log collector group name>, then I assigned each of the log collector that belong to particular log collector group: "set log-collector-group <log collector group name> logfwd-setting collectors <log collector S/N>". After this change was committed, all log collectors changed status to: "in sync" and I was able to push configuration change to both log collectors, then I was able to see all new logs to come as well as all old logs from all log collectors.
Since, there was no issue with pushing configuration, running reports and log search, I closed the migration with no other issue left to troubleshoot.
 
I hope this can help others with similar scenario where Panorama manager has to be replaced while log collectors stay in place.
 
Kind Regards
Pavel
Help the community: Like helpful comments and mark solutions.
Who rated this post