topic Re: Migrating PA-3050 to PA-1420 in Expedition Discussions

Migrating PA-3050 to PA-1420

Kevin_Clark — Thu, 11 Jul 2024 15:34:27 GMT

I'm attempting to use Expedition to merge the config from our PA-3050 (PAN-OS 9.1.x) into the config for a PA-1420 (PAN-OS 11.0.x). The problem is that the vsys1 components aren't transferring across.

Can anyone guide me through what I need to do to get this merge working in Expedition? Thanks in advance.

Base config: PA-1420_base.xml

Config to migrate: drfw_20240711.xml

After hitting the Merge button go to the Devices section and view the now updated PA-1420 config: It doesn't show the interfaces, virtual wires or virtual routers:

Those components are still shown in the config from the PA-3050 that I'm trying to migrate:

For the record this is a screenshot of the configs after I've imported them but before making any changes:

And this is a screenshot after I've dragged the components across just prior to hitting the Merge button:

Re: Migrating PA-3050 to PA-1420

dpuigdomenec — Fri, 12 Jul 2024 08:22:39 GMT

Hi @Kevin_Clark

Thanks for reaching out.

Expedition tool is intended to help on migrations from 3rd party vendors and also to optimise the security posture on a PANOS device.

The migration you are describing could be done using PANOS features as export and import from old to new devices (you may need to update networking information and VPN configuration). Once you have your configuration pushed to your new device you can download it to Expedition and do some optimisation like removing duplicates and merging similar policies among other features Expedition can help.

Said that, if you still want to use Expedition for that please check the file /tmp/error after doing the merge and share it with me using the email fwmigrate@paloaltonetworks.com

Hope this helps,

David

Re: Migrating PA-3050 to PA-1420

Kevin_Clark — Fri, 12 Jul 2024 14:51:34 GMT

Thanks, David.

I'm pleased to report that the import of the config from our PA-3050 (PAN-OS 9.1.x) into our new PA-1420 (PAN-OS 11.0.x) was successful. Thank you for this recommendation.

Kevin

Re: Migrating PA-3050 to PA-1420

iamxCPx — Thu, 21 Nov 2024 21:03:47 GMT

@Kevin_Clark

Do you mind sharing the steps that you did?

Did you still use the expedition or config export/import method?

I'm in the same boat trying to migrate from 3020 (9.x) to 1420 (11.x).

I greatly appreciate your feedback.

Re: Migrating PA-3050 to PA-1420

Kevin_Clark — Fri, 22 Nov 2024 08:47:12 GMT

@iamxCPx I didn't end up using Expedition to make the config changes because it turned out to be relatively straightforward to edit the XML file, and then validate those changes in the web UI before committing them.

1. Exported the config from the 3050

2. Modifications to the XML in a text editor, e.g. changed the interface references to what they needed to be on the 1420, set the management interface to the temporary IP address for the 1420

3. Import the XML on the 1420

4. Commit -> Validate to see what errors it spits out, e.g.

Validation Error:
rulebase -> security -> rules -> Block Known Malicious Dynamic -> destination 'panw-known-ip-list' is not an allowed keyword
rulebase -> security -> rules -> Block Known Malicious Dynamic -> destination panw-known-ip-list is an invalid ipv4/v6 address

5. Edit the XML to correct the errors

6. Repeat steps 2-5 until no more validation errors

Re: Migrating PA-3050 to PA-1420

iamxCPx — Fri, 22 Nov 2024 18:20:39 GMT

Thank you for this.

I have more questions if you don't mind.

Did you do this after you set up the licenses and upgraded to the latest software version on the 1420?

I haven't connected the 1420 live to the internet. At the moment, I am only connected to the management port.

I wonder if the import will fail if it does not have the same licenses on the 1420.

TIA.

Re: Migrating PA-3050 to PA-1420

ksalustro — Fri, 22 Nov 2024 19:36:15 GMT

It looks like he had not yet installed the licenses, that is why he got an error about "'panw-known-ip-list' is not an allowed keyword". No big deal, but with the licenses installed and content updated first, the PA firewall will have its EDL's downloaded and won't give this error.

For me, the best practice is to:

1. Connect mgt interface on new firewall, get dns to work, fetch licenses, obtain content updates.

2. Get PAN-OS to same level as prior firewall or upgrade prior firewall to catch up. The closer the better but they don't need to be exact.

3. Export running config of old firewall, e.g. save file on disk "PA3050-config.xml".

4. On new firewall, save named config snapshot "PA1410-original". Import "PA3050-config.xml" to new firewall. Load config. Look it over. (I have never had to edit the xml file first) but I agree with the above last 3 steps, reposted below.

To answer your question, import or load will not fail if licenses don't match, but possibly the validation or commit could fail, which you can tweak before successful commit.

5. Commit -> Validate to see what errors it spits out, e.g.

Validation Error:
rulebase -> security -> rules -> Block Known Malicious Dynamic -> destination 'panw-known-ip-list' is not an allowed keyword
rulebase -> security -> rules -> Block Known Malicious Dynamic -> destination panw-known-ip-list is an invalid ipv4/v6 address

6. Edit the XML to correct the errors

7. Repeat steps 2-5 until no more validation errors