Palo Alto Networks

Firewall Migration Guide

Contact Information

Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact‐support

About this Guide

This guide helps ensure that you are aware of the various considerations associated with upgrading your Palo Alto
Networks firewall to a newer, more powerful Palo Alto Networks firewall.
In addition to this guide, you should review release notes if you are upgrading your PAN‐OS software in conjunction
with your hardware upgrade. If you are upgrading software, be sure to review release notes for each feature release
between your existing configuration and the new version. For example, if you are upgrading from PAN‐OS 6.1 to
PAN‐OS 8.0, you should review release notes for PAN‐OS 7.0, PAN‐OS 7.1, and PAN‐OS 8.0 before beginning your
upgrade.
For additional information, refer to the following resources:

 For information on the supported OS releases by model, refer to

https://www.paloaltonetworks.com/documentation/global/compatibility‐matrix.

 For information on the additional capabilities and for instructions on configuring the features on the firewall,
refer to https://www.paloaltonetworks.com/documentation.

 For access to the knowledge base and discussion forums, refer to https://live.paloaltonetworks.com.

 For contacting support, for information on support programs, to manage your account or devices, or to open a
support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.

 For capacity and performance information for all Palo Alto Networks firewalls, refer to
https://www.paloaltonetworks.com/products/product‐selection.html.

 To view the product spec sheets, refer to https://www.paloaltonetworks.com/resources/datasheets.html.

 For information on End‐Of‐Sale firewalls and appliances, refer to

https://www.paloaltonetworks.com/support/end‐of‐life‐announcements/end‐of‐sale.html.
To provide feedback on the documentation, please write to us at: [email protected].

Palo Alto Networks, Inc.

www.paloaltonetworks.com
© 2017–2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.

Revision Date: March 7, 2018

2 • Firewall Migration Guide © Palo Alto Networks, Inc.

 Table of Contents

Firewall Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Firewall Migration Planning Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Migrate to New Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

© Palo Alto Networks, Inc. Firewall Migration Guide • 3

 Table of Contents

4 • Firewall Migration Guide © Palo Alto Networks, Inc.

 Firewall Migration
The following topics guide you through the process of migrating your existing Palo Alto Networks® firewall
to a new Palo Alto Networks firewall (such as from a PA‐200 firewall to a PA‐220 firewall or from a PA‐500
firewall to a PA‐800 Series firewall).
This procedure is not supported for migration to PA‐5200 Series firewalls.
You can use this procedure in an RMA situation where you are replacing a failed PA‐5200 firewall
with the same model PA‐5200 firewall.
 Firewall Migration Planning Checklist
 Migrate to New Firewalls

Firewall Migration Planning Checklist

Use the following checklist to plan the migration:

 Obtain licenses—Purchase a support license for the new firewall and have the authorization code ready.
Also purchase the licenses and subscriptions necessary for activating the same features on the new
firewall that are enabled on the old firewall and account for the following scenarios as needed:
– If the old firewall has virtual systems enabled, ensure that the new firewall can support the same
number of virtual systems that are configured on the old firewall and, if applicable, purchase a virtual
system license for the new firewall. This will ensure you can migrate the virtual systems from the old
firewall to the new firewall.
– For firewalls in a high‐availability (HA) configuration, licenses are unique to each firewall and cannot
be shared between the firewalls. Therefore, you must activate an identical set of licenses on each
firewall.
 Compare compatibility—Use the Product Selection tool to compare the old and new firewall to ensure
the new firewall supports—at a minimum—the same functionality as the old firewall and use the
Compatibility Matrix to view the supported OS releases by model.
 Determine the target PAN‐OS release—Before you Migrate to New Firewalls, ensure that the old
firewall is running the same PAN‐OS release and the same content release version as is installed on the
new firewall. If the old firewall does not support the PAN‐OS release that is installed on the new
firewall, you must ensure that the old firewall is no more than one feature release behind. For example,
if the new firewall is running PAN‐OS 8.0, then the old firewall must be running or upgraded to a
PAN‐OS 7.1 release before you migrate. If the old and new firewalls are not within one feature release,
you cannot use the device state export and import process to migrate due to schema changes that occur
from feature release to feature release.
 Plan for a User‐ID migration—If User‐ID is configured on the old firewall, consider the following:
– If the old firewall uses Captive Portal to collect user‐to‐IP address mappings, ensure that the new
firewall is registered with your DNS server as the Captive Portal host. This required only if you plan
to change the IP address that is used as the web server redirect destination when Captive Portal is
in redirect mode. By default, Captive Portal uses the management (MGT) interface for these
services.
– If the firewall is configured as a User‐ID agent and you plan to use different IP addresses on the new
firewall, ensure that the new firewall has a network path to all resources required by the agent, such

© Palo Alto Networks, Inc. Firewall Migration Guide • 5

Firewall Migration Planning Checklist Firewall Migration

as domain controllers, syslog servers, and other User‐ID agents. If the firewall is configured to
contact User‐ID agents on domain servers, ensure that the firewall can connect to those servers.
 Forward logs for retention—You cannot migrate logs from one firewall to another. Therefore, when
planning the migration, ensure that the old firewall is forwarding any logs you need to retain to an
appropriate external location. If you use Panorama to manage the firewall, logs forwarded to Panorama
from the firewall are still available for query and reporting after migration until you remove the firewall
from Panorama. Keep in mind that the old firewall will count toward your total number of managed
devices so you should remove the old firewall at some point. Alternatively, you can export logs to CSV
format.
 Label management and Ethernet cables—Label all cables before you disconnect them so you can easily
identify them when moving them from the old firewall to the new firewall. Alternatively, connect new
cables to the new firewall.

Take photos of the front and back of the old firewall and capture all cable connections before disconnecting any
cables.

 Schedule a maintenance window—Schedule a maintenance window to allow time for you to move
cables from the old firewall to the new firewall and to test the new firewall. Also notify other
administrators about the upgrade so they do not inadvertently make changes to the old firewall during
the migration. Otherwise, changes made after migration begins will not be migrated to the new firewall.
You should also schedule time with your network administrator to assist with the migration.
 Prevent IP address conflicts—Obtain a temporary IP address for the MGT interface on the new firewall
if you plan to connect the old and new firewalls to the same management network during the migration.
To prevent IP address conflicts on the Ethernet interfaces, do not connect the Ethernet cables to the
new firewall until you are ready to move them over from the old firewall.

6 • Firewall Migration Guide © Palo Alto Networks, Inc.

Firewall Migration Migrate to New Firewalls

Migrate to New Firewalls

This procedure describes how to migrate a pair of Palo Alto Networks firewalls in a high‐availability (HA)
active‐passive configuration to a new pair of Palo Alto Networks firewalls. You can also use this procedure
to upgrade an active/active configuration by substituting active‐primary in place of active and
active‐secondary in place of passive throughout these migration steps. In this procedure, you import the
device states from the old firewalls to the new firewalls to reduce the number of manual configuration steps
needed when migrating. There are some settings, such as multiple virtual systems (multi‐vsys) and jumbo
frames, that you must manually configure as described in this procedure. There are also settings that are not
synchronized in HA (as described in Reference: HA Synchronization).
To minimize downtime in your production environment, this procedure allows for keeping the old firewalls
operational until you have configured and tested the new firewalls.
In the following procedure, the active firewall in the old HA pair is named Old‐FW‐A and the passive firewall
is named Old‐FW‐B. On the new HA pair, the active firewall is named New‐FW‐C and the passive firewall is
named New‐FW‐D.

Migrate to New Firewalls

Step 1 Rack‐mount and connect power to the Follow the procedures in the hardware reference guide for the new
new firewalls. firewall.

Step 2 Connect your management computer to 1. Connect an RJ‐45 Ethernet cable from your management
the New‐FW‐C firewall. computer to the MGT port on the New‐FW‐C firewall.
2. Change the IP address on your computer to an address in the
192.168.1.0 network, such as 192.168.1.2.
3. Power on the firewall.
4. From a browser, go to https://192.168.1.1.
5. When prompted, log in using the default username and
password (admin/admin).
We recommend that you have a serial console cable
ready to connect to the Console port on the firewall
and use terminal emulation software to access the
command line interface (CLI). The terminal settings are
9600‐8‐N‐1. This will ensure that if you lose the web
interface connection to the firewall, you can view or
modify the configuration from the terminal.

Step 3 (FIPS‐CC mode only) If the old firewalls 1.
are in Common Criteria (CCEAL4) mode,
enable this mode on the new firewalls. 2.
Follow the procedure in Enable FIPS and Common Criteria
Support.
After the firewall restarts in CCEAL4 mode, log in with the
new default username and password (admin/paloalto) and
continue to Step 4.

Step 4 Assign a temporary IP address to the 1.
management interface.
You will replace this IP address
with the IP address configured
on the management interface on 2.
the old firewall when you are
3.
ready to disconnect the old
firewall.
Configure the MGT interface using the necessary settings
required to enable you to manage the firewall over your
management network and to enable the firewalls to
communicate with the Palo Alto Networks update servers.
Commit the changes.
Connect the MGT port to a switch that is accessible from your
management network.

© Palo Alto Networks, Inc. Firewall Migration Guide • 7

Migrate to New Firewalls Firewall Migration

Migrate to New Firewalls (Continued)

Step 5 Connect your management computer to 1. Repeat Step 2, Step 3, and Step 4 assigning a different
the second new firewall. temporary IP address to the management interface.
2. After you connect both of the new firewalls to your
management network, change the IP address on your
computer back to its original address.
3. Connect your management computer to your corporate
network and verify that you can manage the new firewalls
using the temporary management interface IP addresses you
set on the new firewalls.

Step 6 Register and license the new firewalls. 1. Register the firewalls.
2. Activate Licenses and Subscriptions.

Step 7 Update the content release version on Perform the following on the old and new firewalls:
the old and new firewalls to the same 1. Select Device > Dynamic Updates and click Check Now.
version.
2. If new updates are available for Antivirus and Applications
The minimum supported content
and Threats, Download them (Actions column).
release version is enforced by
the PAN‐OS release. For details 3. Install each update.
on what content release version
is required, refer to the release
notes for the version you are
installing. For example, if you are
installing PAN‐OS 8.1, refer to
the PAN‐OS 8.0 Release
Information.

Step 8 Determine the target PAN‐OS release 1. Log in to the web interface on each firewall (old HA pair and
and upgrade the old firewalls if new HA pair) and select the Dashboard tab.
necessary. 2. Take note of the Software version, Application Version, and
Threat Version on the old and new firewalls (General
Information).
3. Choose from the following options based on the PAN‐OS
release versions running on the firewalls:
• If the old firewalls are running the same PAN‐OS feature
release as the new firewalls or are within one feature
release of the new firewalls, continue to Step 9.
• If the old firewalls are running a PAN‐OS release that is two
or more feature releases older than what is running on the
new firewalls, upgrade the old firewalls to the same release
as the new firewalls. Alternatively, if the new firewalls are
running a PAN‐OS release that is older than the what is
running on the old firewalls, upgrade the new firewalls to
the same release as the old firewalls.
You can find details on upgrading a firewall in the New
Features guide for each release. For example, to upgrade to
PAN‐OS 8.0, refer to New Features Guide Version 8.1.

8 • Firewall Migration Guide © Palo Alto Networks, Inc.

Firewall Migration
Migrate to New Firewalls (Continued)
Step 9 (Virtual system and jumbo frame mode
only) If the old firewalls are in multi‐vsys
mode or jumbo frame mode, enable the
same modes on the new firewalls.
If either of these modes are
enabled on the old firewalls, you
must enable them on the new
firewalls before you import and
commit the device state from the
old firewalls.
Step 10 (Optional ‐ for custom master key only) 1.
Set the master key on the new firewalls
to match the keys you defined on the old 2.
firewalls so the new firewalls can decrypt
keys and passwords in the configuration. 3.
Step 11 Export the device state from the old
firewalls.
The device state export contains most
firewall configuration settings, including
local configuration settings and settings
pushed by Panorama (if the firewalls are
managed by Panorama).
If the firewall is configured for a
GlobalProtect™ Large‐scale VPN, the
device state export also contains the
required certificates and private keys.
Step 12 Import the device state from the old 1.
firewalls to the new firewalls.
Do not commit the configuration 2.
until instructed to do so in
Step 17.
3.
© Palo Alto Networks, Inc.
Migrate to New Firewalls
Perform the appropriate step(s) that pertain to the firewall
configuration:
• To enable virtual system mode:
1. Select Device > Setup > Management and edit General
Settings.
2. Select Multi Virtual System Capability.
3. Click OK and Commit.
• To enable jumbo frame mode:
1. Select Device > Setup > Session and edit Session Settings.
2. Enable Jumbo Frame.
3. Click OK and Commit.
4. Reboot the firewall (Device > Setup > Operations > Device
Operations).
On the new firewalls, select Device > Master Key and
Diagnostics and edit the Master Key settings.
Enter the New Master Key and Confirm New Master Key.
Click OK. The firewalls will auto‐commit the new master keys.
1. Notify all administrators that have access to the old firewalls
that a migration is in progress and take a config lock (click the
lock icon next to Config) on the old firewalls to prevent
unexpected configuration updates.
2. Commit any pending configuration updates on the old
firewalls (Old‐FW‐A and Old‐FW‐B).
3. Select Device > Setup > Operations on the Old‐FW‐A firewall.
4. Export device state file to your computer.
5. Rename the device state file to a name that helps you identify
it later. For example, rename device_state_cfg.tgz to
Old‐FW‐A‐device‐state.tgz.
6. Repeat steps 3, 4, and 5 for the Old‐FW‐B firewall and name
the device state file Old‐FW‐B‐device‐state.tgz.
Select Device > Setup > Operations on the New‐FW‐C
firewall.
In the Configuration Management section, click Import device
state.
Browse to and open the device state file that you exported
from the old firewall (Old‐FW‐A‐device‐state.tgz in this
example).
4. Click OK but do not commit, yet. The new device state
configuration is now the candidate configuration.
5. Repeat these steps for the New‐FW‐D firewall but import the
device state from the old passive firewall
(Old‐FW‐B‐device‐state.tgz in this example).
Firewall Migration Guide • 9
Migrate to New Firewalls Firewall Migration

Migrate to New Firewalls (Continued)

Step 13 Create a temporary superuser account
on the new firewalls.
Create a username that does not
exist on the old firewalls. This
ensures that you can log in to the
new firewalls if there is an issue
with the imported accounts.
1. Select Device > Administrators and Add a new administrator.
When you imported the device state in the previous
step, the device state becomes the candidate
configuration and is not active until you commit.
When you create or modify administrator accounts,
those changes are immediately activated. Because of
this, when you create the temporary administrator
account and click OK, your session will time‐out and
you will need to log back in using the new temporary
account or by using an account that exists on the old
firewall.
2. Enter a Name, such as migrate‐admin.
3. Enter a new Password and Confirm. Store the credentials in a
safe place.
4. Set the Administrator Type to Dynamic, select Superuser
from the drop‐down, and click OK but do not commit, yet.
Your current session will time‐out.
5. Log back in using the new temporary account.
6. Repeat these steps to create a temporary superuser account
on the New‐FW‐D firewall.

Step 14 Change the management IP addresses
on the new firewalls to the temporary
management IP addresses you set in
Step 4 and Step 5. This will prevent IP
address conflicts with the old firewalls
after you commit the device state.
1. Select Device > Setup > Interfaces and click Management.
In PAN‐OS release version 7.1 and earlier, this setting
is in Device > Setup > Management.
2. Enter the temporary management IP information (IP Address,
Netmask, and Gateway) or select DHCP.
3. Click OK but do not commit, yet.

Step 15 Reconfigure Ethernet interfaces if there If the new firewalls have higher speed Ethernet ports or different
is a mismatch between the old and new connector types (SFP for example) than the old firewalls,
firewalls. reconfigure the mismatched interfaces before you commit and
install the appropriate connectors and cables.
For example, if you migrate from a PA‐2050 firewall to a PA‐3020
firewall, the first 16 Ethernet ports on the PA‐2050 firewall are
RJ‐45 10/100/1000Mbps ports but on a PA‐3020 firewall the first
12 ports are RJ‐45 10/100/1000Mbps ports and the remaining
ports are SFP ports (ports 13‐20).

Step 16 (Panorama only) Add the new firewalls 1.
to Panorama.
Leave the serial numbers of the
old firewalls in Panorama so you 2.
can continue to view logs and run
reports. Be aware that leaving the
old firewalls in Panorama will
3.
count against your Panorama
license so you should remove the
old firewall at some point.
Add the serial numbers of the new firewalls to the Panorama
server that is managing the old firewalls as described in Add a
Firewall as a Managed Device.
Add the new firewalls to the same device group and templates
(or template stacks) as the old firewalls as described in Manage
Firewalls.
Commit the Panorama configuration so Panorama can start
managing the new firewalls.

10 • Firewall Migration Guide © Palo Alto Networks, Inc.

Firewall Migration
Migrate to New Firewalls (Continued)
Step 17 Commit the configuration on the new 1.
firewalls.
To prevent network flow issues
and IP address conflicts, do not
connect the network cables until
Step 22.
Step 18 (GlobalProtect LSVPN only) If the old
firewalls were configured as a
GlobalProtect LSVPN satellite, you may
need to reauthenticate the new firewalls
depending on the LSVPN portal
configuration.
Step 19 (HA1 encryption only) If HA1 encryption
is enabled on the old HA pair, enable it
on the new HA pair and exchange HA
keys between the new firewalls.
Otherwise, continue to Step 20.
HA1 encryption is used to secure the
communication between the HA1 links
on the firewalls when the link is not
directly connected (ports are connected
to a switch or a router). When
performing an upgrade to new firewalls,
you will use the HA keys that are
generated on the new HA pair, so there
is no need to export the HA keys from
the old firewalls.
Step 20 (Optional) Configure and connect
dedicated HA ports.
If the old firewalls do not have dedicated
HA ports and you are upgrading to
firewalls that do, modify the
configuration on the new firewalls to use
the dedicated ports. The dedicated HA
ports improve HA communication.
© Palo Alto Networks, Inc.
Migrate to New Firewalls
Commit New‐FW‐C firewall.
If the firewall is running a PAN‐OS 7.0 or later release,
you can validate the new configuration before you
commit.
After you import a device state, Commit indicates that
there are no pending configuration changes and that a
full commit is available. Continue with the commit to
complete the operation.
If you see configuration errors in the commit output, resolve
errors as needed until the commit is successful.
2. Commit New‐FW‐D firewall.
You will need to resolve any configuration issues on
both firewalls if they are managed by Panorama
because HA does not synchronize configurations
pushed by Panorama.
3. Reboot the firewalls to complete the operation. Select Device
> Setup > Operations, click Reboot Device, and click Yes.
If the portal uses serial number authentication, add the serial
numbers of the new firewalls to the portal.
If the portal is configured to authenticate satellites using username
and password, the satellite will successfully connect to the portal
because the required configuration is migrated in the device state
import.
No additional steps (related to GlobalProtect) are required
if the new firewalls are configured as a GlobalProtect portal
or gateway.
1. On the New‐FW‐C firewall and the New‐FW‐D firewall, select
Device > High Availability > General and Enable HA in the
Setup section.
2. On the New‐FW‐C firewall, Select Device > Certificate
Management > Certificates and click Export HA Key.
3. On the New‐FW‐D firewall, Import HA Key that you exported
from the New‐FW‐C firewall.
4. Repeat steps 2 and 3, but in this case, export the HA key from
the New‐FW‐D firewall and import it to the New‐FW‐C
firewall.
For more details, refer to Configure Active/Passive HA or
Configure Active/Active HA.
Review HA Links and Backup Links for information about the
available HA ports and supported firewalls and then refer to
Configure Active/Passive HA or Configure Active/Active HA for
information on how to configure HA ports.
Firewall Migration Guide • 11
Migrate to New Firewalls
Migrate to New Firewalls (Continued)
Step 21 Temporarily disable HA link monitoring
to prevent failover flapping issues while
you complete the remaining steps.
Step 22 Move cables (Ethernet, management,
and HA) from the old firewalls to the new
firewalls.
Alternatively, you can connect new
cables to the new firewalls.
Label all cables before you
disconnect them so you can
easily identify them when
moving them from the old
firewalls to the new firewalls.
Step 23 Clear the MAC table and ARP entries Perform this procedure yourself or contact your network
from adjacent network equipment, such administrator if you do not have access to the network equipment.
as switches and routers.
This is required because you are
migrating the interface configuration
from the old firewalls to the new
firewalls and the new firewalls have
different MAC addresses.
If the network equipment uses static
MAC addresses based on the interfaces
on the old firewalls, change those MAC
addresses to the MAC addresses of the
interfaces on the new firewalls.
Step 24 Verify traffic flow on the new firewalls.
If active/passive HA is
configured, you will not see
active sessions on the passive
firewall.
Step 25 (Optional) Update the management
(MGT) interface configuration on the
new firewalls using the configuration
from the old firewalls.
Have a serial console connection
ready in case you lose access to
the MGT interface.
12 • Firewall Migration Guide
Firewall Migration
1. On the New‐FW‐C firewall, select Device > High Availability
> Link and Path Monitoring and edit Link Monitoring.
2. Deselect Enabled.
3. Click OK and Commit.
4. Perform these same steps on the New‐FW‐D firewall.
1. Schedule a maintenance window to allow time to disconnect
cables from the old firewalls and cable the new firewalls.
2. Move the Console and MGT port cables from the old firewalls
to the new firewalls.
3. Move the Ethernet cables from the old firewalls to the new
firewall ensuring that you move each cable to the correct port
on each firewall. For example, move the ethernet1/1 cable on
the Old‐FW‐A firewall to ethernet1/1 on the New‐FW‐C
firewall and move the ethernet1/1 cable on the Old‐FW‐B
firewall to ethernet1/1 on the New‐FW‐D firewall.
View sessions from the web interface or from the command line
interface (CLI):
• Web interface—Select Monitor > Session Browser.
• CLI—Run the show session all operational command.
The session information shows the traffic flow between zones.
After a session ends, you can then view more details in the traffic
logs (Monitor > Logs > Traffic).
1. Disconnect the MGT cables from the old firewalls.
2. Select Device > Setup > Management and edit the
Management Interface Settings on firewalls the New‐FW‐C
firewall and the New‐FW‐D firewall.
3. Enter the MGT configuration (IP Address, Netmask, and
Default Gateway) on the New‐FW‐C firewall using the
settings from the Old‐FW‐A firewall and enter the MGT
configuration on the New‐FW‐D firewall using the settings
from the Old‐FW‐B firewall.
4. Click OK and Commit.
© Palo Alto Networks, Inc.
Firewall Migration
Migrate to New Firewalls (Continued)
Step 26 Enable HA link monitoring.
Step 27 Verify that HA is operational.
Step 28 (Optional) Upgrade the new firewalls.
We recommend that you wait a
few days to ensure that the new
firewalls are operating normally
before you upgrade PAN‐OS.
Also, test HA failover on the new
firewalls and ensure that you are
taking regular backups.
© Palo Alto Networks, Inc.
Migrate to New Firewalls
1. On the New‐FW‐C firewall, select Device > High Availability
> Link and Path Monitoring and edit Link Monitoring.
2. Select Enabled.
3. Click OK and Commit.
4. Perform these same steps on the New‐FW‐D firewall.
1. Access the management web interface on the New‐FW‐C
firewall or the New‐FW‐D firewall.
2. Select Dashboard and add the High Availability widget
(Widgets > System > High Availability).
In this example, the current firewall is the passive firewall in a
functional HA configuration with all items synchronized.
3. Verify failover.
For details on configuring HA, refer to the High Availability
topic in the PAN‐OS Administrator’s Guide.
To take full advantage of the features of the new firewalls, upgrade
them to the latest PAN‐OS release.
You can find upgrade details in the New Features guide for each
release. For example, refer to Upgrade to PAN‐OS 8.0.
Also review the release notes before you upgrade. For example,
refer to the PAN‐OS 8.0 Release Notes.
Firewall Migration Guide • 13
Migrate to New Firewalls Firewall Migration

14 • Firewall Migration Guide © Palo Alto Networks, Inc.