topic Re: HA Firewall Device Migration/Hardware Swap in General Topics

HA Firewall Device Migration/Hardware Swap

Akeakamai — Sat, 01 Jan 2022 02:33:56 GMT

Need to replace an HA pair of Panorama managed, currently deployed firewalls (PA-5220s) with a different pair of Panorama managed firewalls (also PA-5220s), with minimum/no downtime; device licensing is different between #1 & #2 pairs, necessitating the swap.

Proposed procedure (detailed in attached picture)

- Copy Panorama DG/Template for HA pair #1 to replacement DG/Template for HA pair #2
- Push Panorama config to HA pair #2
- Replace current passive firewall (1b) with it's replacement (2d), sync sessions

- Swap HA roles (1b is now active)

- Replace current passive firewall (1a) with it's replacement (2c)

- Swap HA roles

- Delete DG/Template #1

Hardware is identical (HA requires this)

HA configs are identical: timers, peer IP addresses, etc.

Anyone see issues with the proposed procedure? Suggestions for alternative procedure?

Thought about using Panorama RMA procedure to just replace #1 firewalls one at a time and using HA to minimize downtime, maybe similar to above, start by serial number swap for passive firewall, HA swap, replace serial number for formerly active device, swap, etc hardware

Re: HA Firewall Device Migration/Hardware Swap

OtakarKlier — Mon, 03 Jan 2022 17:00:29 GMT

Hello,

Why not just swap the licensing? Might be a simpler solution.

Just a thought.

Re: HA Firewall Device Migration/Hardware Swap

Akeakamai — Mon, 03 Jan 2022 23:18:54 GMT

Swapping licenses would be the easiest solution, Palo Alto told us that was not an option, hence my migration plan

Re: HA Firewall Device Migration/Hardware Swap

PavelK — Mon, 03 Jan 2022 23:45:34 GMT

Thank you for the post @Akeakamai

I agree with Otakar that swapping Firewalls for license migration might be overkill, however if this step is unavoidable in your scenario, I would say your proposed procedure looks functional, however I believe this could be a bit simplified.

Since you are using the same Firewalls with the identical configuration, I think you can use existing Device Group and Template Stack, so I would skip first step with cloning existing Device Group and Template Stack.

- Before you start with migration, disable HA Preemption in your existing Firewall HA pair to avoid unexpected failover during migration.

- Suspend in HA setting current passive firewall (1b) and disconnect all interfaces, then cable all ports in replacement firewall (2d).

- Upgrade replacement firewall (2d) to the same PAN-OS version, install the same content update, install license, but keep HA as suspended.

- Place replacement firewall (2d) into existing Device Group and Template Stack and push the configuration.

- After configuration is pushed, I would do basic verification that all setting was applied. If HA setting is configured for "auto" mode, you should at least see all interfaces to be up. Also all information under High Availability should be "Match" and HA1, HA1 Backup, HA2,... should be up.

- Clean/Replace old Firewall SN with new one in Panorama by: replace device old <old SN#> new <new SN#

- If you are using BGP peering, it might be safer to temporarily configure static route as a fall back if BGP session drops during Firewall failover.

- If you did not get stuck or came across any issue with any of the above steps, I would make replacement firewall (2d) functional in HA and proceed with failover (make firewall (1a) suspended).

- If all is running fine on firewall (2d) do the same procedure for firewall (1a) and replace it with firewall (2c).

- Make firewall (2c) active and enable preemption if necessary.

- Clean up all the configuration that was configured temporarily for migration purpose.

- Make failover test just in case to confirm all is working as expected.

As always unexpected thing can happen, so I would schedule this task for weekend or during time with lowest traffic. Also, I would recommend to to do bench mark connectivity test before and after replacement work to avoid falsely troubleshooting things that were actually not functional before replacement.

Kind Regards

Pavel

Re: HA Firewall Device Migration/Hardware Swap

Akeakamai — Wed, 12 Jan 2022 19:00:18 GMT

Thank you for your detailed response, unfortunately it landed in my Spam folder for a week. We came to a similar conclusion to your's independently, you provided useful additional info, and validated our similar approach.

Re: HA Firewall Device Migration/Hardware Swap

amkolev — Tue, 05 Nov 2024 19:04:25 GMT

do you have any documentation if you replace newer HA - hardware ?

Re: HA Firewall Device Migration/Hardware Swap

PavelK — Tue, 05 Nov 2024 21:47:07 GMT

Hello @amkolev

thanks for post!

To be honest I do not think there is any difference in procedure between Firewall mentioned in this post and latest Firewalls. Some miner differences might come from features introduced in latest versions of PAN-OS.

Would you mind provide more details what your scenario / migration is?

Kind Regards

Pavel

Re: HA Firewall Device Migration/Hardware Swap

amkolev — Wed, 06 Nov 2024 02:41:47 GMT

I have 5250 HA - active /passive firewalls registered with Panorama and the end goal is to replace them with the newer PA5420 Firewalls . How would you do it . I am fine with downtime procedure , but would you copy the config or you just de-register old devices from Panorama and add the new devices and add them in the proper Device Group and Templates . the only thing is I would like to keep same Routing and interface configuration ( Ip addresses , sub-interface , routing etc )

Let me know

Re: HA Firewall Device Migration/Hardware Swap

PavelK — Mon, 02 Dec 2024 06:43:02 GMT

Hello @amkolev

I am sorry for late response.

Similar posts for Firewall migration leveraging Panorama came up in the past. Could you have a look?

https://live.paloaltonetworks.com/t5/panorama-discussions/palo-alto-5020-migrate-to-5220-from-panorama/td-p/487516

https://live.paloaltonetworks.com/t5/general-topics/pa-3020-to-pa-460-migration/td-p/516049

In nutshell, I would in your case place the new Firewall in the same Device Group as old Firewall. For Template Stack, I would clone old Firewall Template and adjusted new Firewall specific configuration in a new Template.

Kind Regards

Pavel