Migrating Palo Alto Panorama from VMware/ESXi to Proxmox

I recently started moving all of my VMs to Proxmox, and even though I already had one PA firewall running under Proxmox, I was not very keen on tackling the task of migrating Panorama. I have two Panorama nodes running in HA in mgmt-only mode, and in addition to those, I also have two Panorama instances running in log-collector mode.

So, today was the day when I decided to move my first Panorama instance (mgmt-only) and I've been fighting with Proxmox for a few hours now until I found the best way to migrate them pretty seamlessly.

Even though Palo Alto publishes qcow2 images for Panorama, I wasn't planning on installing them from the scratch. I ended up doing exactly that, since my first attempt of migrating current instances failed. I couldn't get beyond the initial screen where it says to press any button to interrupt autoboot.

As I said, I ended up installing Panorama from the scratch and then I imported my old Panorama's config and thought how easy that was. Until I realised that none of my devices were imported, nor were my log collectors. That was simply not acceptable, as I already wasted a lot of time trying to set everything up, so I deleted the new installs and tried again with importing the existing instances with ovftool.

Command to start import of an existing VM on ESXi is quite simple:

ovftool vi://[email protected]/'PA Panorama-01' /newlocation

Of course, the pre-requisite is to have the ovftool installed (download it from VMware as a Linux bundle, upload it to your Proxmox server, set exec privileges on the file and start the installation).

Once the command is ran, the output will look something like this:

ovftool vi://[email protected]/'PA Panorama-01' /newlocation

Enter login information for source vi://X.Y.Z.D/
Username: root
Password: **********
Opening VI source: vi://[email protected]:443/PA%20Panorama-01
Opening OVF target: /newlocation
Writing OVF package: /newlocation/PA Panorama-01/PA Panorama-01.ovf
Transfer Completed                    
Completed successfully

Once that is done, the only thing (not really, but at least in CLI) is to import it into Proxmox:

qm importovf 502 'PA Panorama-01.ovf' newlocation

transferred 0.0 B of 81.0 GiB (0.00%)
transferred 829.4 MiB of 81.0 GiB (1.00%)
**** output ommited ****
transferred 81.0 GiB of 81.0 GiB (100.00%)
transferred 81.0 GiB of 81.0 GiB (100.00%)

Finally, once the VM is imported into Proxmox, there's a couple of things that need to be tweaked under Hardware settings of the VM:

• SCSI controller set to VirtiO SCSI
• Hard Disk Bus/Device set to VirtiO Block, Cache set to Write through

• Add two network adapters and if your VMware instance was VLAN aware, so should be Proxmox VM (I didn't want to risk at this point changing the model of the adapter to virtio as I really wanted this to be done as quickly as possible, and changing the model of the virtual NIC may result with VM adding them as new devices that don't inherit IP settings of the previous card - heck, even the same virtual NICs will do that some time on other VMs)

• Finally, the most important part - add a Serial Port (socket) to your VM!

The complete setup for the VM should look something like this:

Don't forget to re-set boot options as well, set the newly modified virtio HDD as your primary boot device. One other thing I set was OS Type to Linux 6.x - 2.6 Kernel.

After this is all setup, the only thing left is to start the VM, and if everything is set correctly, it should boot up without any issues.

I am not 100% confident that SCSI controller needs to be set to VirtiO SCSI, but that is the setting that worked for me, and I really didn't want to test all possible options.

One thing that I really want to emphasize is that, for some reason, a Serial Adapter is a must - without it the VM just doesn't want to boot. This same setting applies to PA firewalls as well when ran under Proxmox (KVM).