We're currently running a Panorama VM in legacy mode on 9.1 but need to upgrade it to 10.1 in order to support a PA-440. I've been working with Palo support because the attempt to upgrade has failed at numerous steps and I believe it's because of how this VM was configured by my predecessor (4 CPUs, 8GB RAM, 52GB system disk thin provisioned, legacy mode). Support recommended building a new VM with the proper specs and migrating to that, and also converting to Panorama mode.Since we are going through this process we also would like to change the mgmt IP of Panorama on the new VM. I'm trying to work out the order of operations here and I'm relatively new to Palo so pardon any ignorance.
- Build new VM with current 9.1.13-h3 OVA
- Take configuration snapshot from existing
- Power on new VM
- Import config into new VM
- Convert to Panorama mode
- Configure log collector
- Commit
- Change firewall config to point to new panorama mgmt IP
- Commit
- Upgrade to 10.1.6-h6
Am I missing any steps here or have something out of order? I appreciate any advice with this process.
Yeah I should have included that we will be building to the new recommended specs of 16 CPUs, 32GB RAM, 81GB system disk thick provisioned, and a 2 TB local log collector disk.
Thank you for the responses, this is all extremely helpful and makes me feel more confident with this task.
being able to build a fresh panorama in parallel to your production one will make life considerably easier than trying to do a replace in place
i've added a few steps:
- Build new VM with current 9.1.13-h3 OVA
- assign appropriate number of CPU and RAM (most likely 16cpu+32gb RAM) : https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/setup-prerequisites-for-the-panorama-virtual-appliance
- add a minimum af 1 2TB drive (up to 12) for logging
- Take configuration snapshot from existing
- Power on new VM
- properly license panorama. this may be a bit tricky but you may be able to simply move your serial over to the new one
- fully update panorama with content updates
- Import config into new VM
- Convert to Panorama mode
- add log collector
- Commit to panorama
- assign disks to collectors
- commit to panorama
- configure collector group
- commit to panorama
- commit to log collectors
- Change firewall config to point to new panorama mgmt IP
- Commit
- Upgrade to 10.1.6-h6
Erik- A few tips:
We just experienced a similar problem w longtime client's Panorama upgrading from 9.1 -> 10.2. At 9.1 our ESXi VM settings (which were similar to yours) ran OK; but was unstable after upgrade. Turns out the minimum VM 'hardware' requirements have increased substantially. Nowhere in the upgrade/setup process does it warn we were running 'below minimum resource prerequisites.' Support also advised us to scratch build a new VM, according to proper specs (see link) 16vCPU, 32 GB RAM, 81 GB System, disk etc.
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/setup-prerequisites-for-the-panorama-virtual-appliance#
Also, another tip--depending on your logging and future needs. We added a separate disk for the log collector, 2 TB is minimum. This way log collector storage needs are kept separate from the system disk. No risk of filling the system partition, if log storage needs increase, grow suddenly (as they do sometimes.) Best of luck w your project, -Peter