If the PA-200 is the only device in its device group and template, I would still recommend importing the Panorama configuration into the PA-200 locally, importing the PA-200's candidate-config into the PA-220, then importing the entire PA-220 into Panorama. You can always delete the original PA-200 template and device group and rename the PA-220 template and device group to have the original name. This is the easiest way to complete the task. If you cannot replace the existing template and device group with a new one, then you are left with the XML XPath option. The below link has information on how it works. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/use-the-cli/load-configurations/load-a-partial-configuration Steps for using XML XPath: 1. Export the running-config from the PA-200 and name it PA-200-config 2. Import the PA-200-config into Panorama. 3. Log into the CLI and use the load config partial command to load parts of the PA-200-config into specific locations of the panorama's configuration. Note: The network and zone configuration doesn't really load well using the load config partial. I would recommend just manually configuring that into the template if you need to. Example command for migrating NAT rules: load config partial from-xpath /config/devices/entry/vsys/entry/rulebase/nat to-xpath /config/devices/entry/device-group/entry[@name='DeviceGroup']/post-rulebase/nat mode merge from PA200-config.xml The load config partial option requires items to be imported in a very specific way. Applications, Application-Groups, Addresses, Address Groups, Services, and Service Groups all have to be loaded prior to loading a security or nat rule. Interfaces should be loaded prior to loading a NAT rule.
... View more