topic Migration from PA 220 to PA 440 in General Topics

Migration from PA 220 to PA 440

janelle.provine — Wed, 25 Jan 2023 17:56:27 GMT

I am in the process of migrating from a pa220 os 10.1 to a pa440 os 10.1.3. I imported the configuration from the pa 220 to the pa440 I ran into three issues:

1.we are getting 1gig from the ISP and even with Qos disabled we are only getting 150mbps

2. We have a toshiba phone system not IP every thing works except when calling location B across the ipsec tunnel, the call goes through and we can hear them talk but they cannot hear us and I have already disabled ALG

3. We were able to access the internal camera system remotely and now we can't

Compared config and they match,scratching my head.

Re: Migration from PA 220 to PA 440

BPry — Thu, 26 Jan 2023 04:02:45 GMT

@janelle.provine,

1.we are getting 1gig from the ISP and even with Qos disabled we are only getting 150mbps

Have you verified counters? If you've been testing without security profiles applied, speed/duplex have been verified, and you have QoS disabled the 450 shouldn't have any issues with that. The only other thing that I've seen cause similar issues (to a far lesser extent) is when the firewall is behind another device performing a double NAT.

You've verified that you don't have any traffic between location B and your primary location being denied? Either to the phone system itself or to the other phone if media bypass is enabled on the phone system for internal calls?

3. We were able to access the internal camera system remotely and now we can't

How were you able to access it before, directly to the IP/FQDN or by using GlobalProtect? Combined with your first question, did you also upgrade your internet when you swapped to the PA-450? Is it possible that you replaced some ISP gear that wasn't put into passthrough mode and is performing its own NAT; this would explain the broken camera system access if you were accessing it directly by IP/FQDN.

Re: Migration from PA 220 to PA 440

janelle.provine — Tue, 31 Jan 2023 15:35:37 GMT

@BPry

Have you verified counters? Which counters are you referring too the ISP tested and said there was 1 gig coming to the modem.

If you've been testing without security profiles applied no I have profiles,

speed/duplex have been verified -you mean of the pc,s and switch the pc's are on?,

and you have QoS disabled -yes and the speed went from 50 to 150

The only other thing that I've seen cause similar issues (to a far lesser extent) is when the firewall is behind another device performing a double NAT.- not sure how to check that all I have it natted to the external IP and the net hop in the vr is the modem

You've verified that you don't have any traffic between location B and your primary location being denied? - yes the configuration is exactly the same as on the pa 220 that I migrated from , I imported it directly to the 440. This is not a voip they do not have IP phones it is going from the PBX ip on our side to a IP address of the PBX on the remote site across a ipsec tunnel.

How were you able to access it before, directly to the IP/FQDN or by using GlobalProtect? -direct by the external IP address no gpvpn. The internet speed was upgraded quite awhile ago but they were limited by the PA 220 that is why we are upgrading them to PA440

Is it possible that you replaced some ISP gear that wasn't put into passthrough mode and is performing its own NAT; this would explain the broken camera system access if you were accessing it directly by IP/FQDN. - the ISP came and checked it out and the only thing they said was the that traffic was being shapped I am sure they meant we were doing it