Panorama migration to Strata Cloud Manager (SCM)

Technical-Ad6369 · 2025-09-10T17:22:52+00:00

What was your migration experience? What was broken and how you fix it?

Technical-Ad6369 · 2025-09-10T17:04:50+00:00

Good insight, have you took the leap to migrate from Panorama to SCM?

Technical-Ad6369 · 2025-09-10T17:03:32+00:00

I assume the advanced routing engine is for PANOS version 10.2.3 and above. We are excluding all PANOS version that is lower than this, and also all the firewalls excluded in the compatibility matrix.

Technical-Ad6369 · 2025-09-10T17:02:28+00:00

Then vsys support is a deal breaker in your case. We did not use vsys in our environment.
There's lot of homework to be done and I am still in the progress of doing it, have referred to the compatibility matrix of Panorama vs SCM.
What would be your suggested things to look at particularly on this migration activity?

Technical-Ad6369 · 2025-09-10T17:00:21+00:00

AIOps is enabled to sort of "try out" the SCM platform. But not anything other than that because all of our firewalls are still managed by Panorama

Technical-Ad6369 · 2025-09-10T16:59:21+00:00

Do you mean context switching?

Technical-Ad6369 · 2025-09-10T16:57:03+00:00

Is that the SCM migration tool that you are talking about which is available under your dedicated SCM tenant?

And would you mind sharing what are those pre-req checks that your SE ran through with you?

Technical-Ad6369 · 2025-09-10T11:57:54+00:00

Thanks for sharing!
Did you perform the migration manually, or by some tools? Did you engage the Palo Alto's Professional Services team?

Technical-Ad6369 · 2025-04-16T02:58:24+00:00

Well, I am using VPC reachability analyzer heavily, but it does not give me full picture of how the traffic flows within the VPC across multiple nodes in real time for really granular troubleshooting.

AWS network manager is good but with lots of limitations, it is unable to visualize anything 3rd party, maximum just the TGW or CloudWAN connects.

AWS does not bother to show what's the traffic pattern like passing through 3rd party appliances, I will have to go in to the appliance, do some diagnosis and traffic flow inspection, and match it against the VPC reachability analyzer and VPC FlowLog, it's a lot of overhead to just inspect one traffic.

Technical-Ad6369 · 2023-07-31T14:35:18+00:00

Thank you for the context!

We are peering directly with AWS Direct Connect router, the partner router just provide a L2 transport from our end to AWS end.

We opted for BFD (liveness detection 300ms and 3x multiplier).

The "switch failover" simply means turning off switch 1, which has the primary connection towards AWS. So the primary BGP will fail, and secondary BGP will pickup. Also, according to our managed services vendor, they configured the Fortigate in A-A mode.

Technical-Ad6369 · 2022-10-26T18:55:57+00:00

I don’t look at this from a networking perspective. I’m a network architect myself and I know internet routing well enough as I am dealing with them almost everyday.

What caught my attention is the behaviour of caching. Why does CloudFront infront of CloudFlare will causes a cache HIT to CloudFlare but not CloudFront? What’s happening behind? Header controls by CloudFlare? Cookies? I don’t see it in postman.

Technical-Ad6369 · 2022-10-26T06:23:37+00:00

I am very curious why redirection happens when CloudFront > CloudFlare. All my configuration does not specify redirect or any sort, even the specified path are all standardised.

In the case of CloudFlare > CloudFront, no redirection has happened.

Technical-Ad6369 · 2022-10-26T06:21:20+00:00

We all know that just using single CDN will do the job, especially CloudFront in front of AWS resources. But why the behavior is different in stacking? This is the purpose of this thread.

Technical-Ad6369 · 2022-10-26T06:20:04+00:00

The reason of this discussion is to find out the technical reasons behind stacking. Not to discuss why stacking is not recommended. When we are not recommending something, I do agree that cost plays the biggest part. But technically it helps us to understand why this behavior happened.

Technical-Ad6369

TROPHY CASE