topic Re: PA-3020 to PA-460 Migration in General Topics

PA-3020 to PA-460 Migration

sanjay.ramaiah — Tue, 27 Sep 2022 09:54:41 GMT

Hi All,

We are migrating one of our PA-3020 to PA-460 next Monday.

> PA-3020 is managed with the Panorama.

> Panorama is in the version 10.0.11 and the PA-3020 is in the version 8.1.18.

> Could you please help me with what all need to be considered while migrating this firewall to PA-460.

> Panorama is hosted on a VM.

> Can i just export the named configuration and current version of PA-3020 and import it to the PA-460 directly?

> Also the export includes the management details as well? If yes, just adding the new SN on the Panorama will be enough to get the connectivity to PA-460 and Panorama?

> If the version of PA-460 is 10.x.x and we exporting the configuration from PA-3020 version 8.1.18 will that be a problem?

> Also please share me the best practices during the migration so that it will be helpful for my future migrations.

Regards,

Sanjay S

Re: PA-3020 to PA-460 Migration

PavelK — Tue, 27 Sep 2022 13:20:11 GMT

Hello @sanjay.ramaiah

thank you for the post!

Exporting configuration from PA-3020 and importing it to PA-460 will most likely result error. The difference in interfaces and hardware + different PAN-OS versions will prevent import and commit. Although there are ways to go around it, I believe it would be easier to bring PA-460 online with basic configuration to register it in Panorama, then push the configuration from Panorama. In this way, you can re-use existing configuration in Device Group / Template Stack. For Template, you will have to make modifications to accommodate differences in target device model like interfaces / HA setting,...

In order to assist further, could you please confirm whether PA-3020 is fully managed by Panorama or there is some configuration managed locally?

Kind Regards

Pavel

Re: PA-3020 to PA-460 Migration

sanjay.ramaiah — Tue, 27 Sep 2022 13:42:27 GMT

Hi Pavel,

Some of the configuration is managed locally.

Regards,

Sanjay S

Re: PA-3020 to PA-460 Migration

sanjay.ramaiah — Wed, 28 Sep 2022 07:28:20 GMT

Please help on this asap i need to provide complete change plan by End of today. Could you please help the steps on how to migrate the device which is managed by Panorama. From Panorama templates are being pushed and most of the configuration of the device is managed locally.

This is the first time planning the migration so please suggest the best way and best practices to follow please.

Re: PA-3020 to PA-460 Migration

PavelK — Wed, 28 Sep 2022 08:47:31 GMT

Thank you for reply @sanjay.ramaiah

below answer is the best I can come up with considering limited knowledge of your environment.

For the migration of the local device configuration, probably the easiest way are below steps:

1.)

Perform initial configuration of PA-460. Below links might be useful:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK

By following config from above links, you will be able to SSH/GUI to new Firewall. From here you can move to actual configuration migration.

2.)

SSH to PA-3020 and issue below commands. Ideally set logging session to text file.

> set cli config-output-format set
> set cli pager off
> configure
# show

then SSH to PA-460 and issue:

> set cli scripting-mode on

> configure

then paste the configuration you got from PA-3020. You can paste commands in bulk, but watch out for any errors. Ideally instead of blindly copy & paste all configuration, paste only what is relevant and want to move across to PA-460.

Since you will be going from PAN-OS 8.1 to 10.X there are some syntax differences that might require you to configure some of the part of the configuration from scratch. Personally, I would take an opportunity to move as much configuration as possible to Panorama and push it from there. By having configuration In Template / Device Group, you can in the future easily re-use / standardize configuration. I feel this is a better way to do it.

Regarding Panorama part, please check below steps.

1.)

Before you can onboard PA-460 to Panorama, you will have to make sure that Panorama runs the higher or the same PAN-OS version as managed Firewall. In your case, you are running PAN-OS 10.0.11 which is already end of life. PA-460 will be shipped either with 10.1.X or with 10.2.X, so Panorama upgrade is necessary.

2.)

After you complete Panorama upgrade, you can register Firewall in Panorama. You can follow this link: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-managed-device

3.)

Personally, I would clone current Template/Template Stack of existing PA-3020 and made necessary modifications. Since PA-460 seems to have the same function, I would place it to the same Device Group. After these settings are in place, I would push this to PA-460. If there is no error, I would plan for cut over.

4.)

Personally, on the day of cut over, I would announce maintenance window and move cable across from PA-3020 to PA-460. You did not mention whether you have HA pairs, if yes, I would plan cut over differently with less downtime. Since device is already per-configured either locally or from Panorama, the migration day should be only about cabling and troubleshooting.

It is likely that during preparation for this migration you will come across all sorts of issues or errors. You can share it here, if I know the solution I will follow up with it.

Kind Regards

Pavel

Re: PA-3020 to PA-460 Migration

Kuldeep_Bishnoi — Tue, 06 Dec 2022 21:46:10 GMT

Hi, That's great information.

May I know what if I don't have Panoroma in my environment and would like to migrate the config over to PA460.

My current box PA3020 running with 9.1.7 and new box PA460 will be in 10.1.6 and whats the easiest way to do migration. Thanks.

Re: PA-3020 to PA-460 Migration

TomYoung — Tue, 06 Dec 2022 23:35:55 GMT

Hi @Kuldeep_Bishnoi ,

I will answer your question, but it is best to start a new discussion when slightly changing the topic. This question comes up a lot on this community. I can think of 5 ways to do it:

Panorama if you have it. Add the new NGFW to the same template and device group as your old NGFW. As @PavelK said, Panorama must be greater or equal PAN-OS.
Expedition if you are familiar with it. The PANW migration tool: https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool saves a lot of time with migrations.
Find a spare PA NGFW that supports both 9.1 and 10.1 and use it. In most cases any PA NGFW will do. In rare cases, a few features will be missing if you use a lower end model. You could even borrow a standby unit.
Use the CLI as @PavelK suggested.
Import the old PAN-OS XML file and be prepared to work through a TON of commit errors. Some sections can be fixed on the CLI. Others will need to be deleted and recreated.

Thanks,

Tom

Re: PA-3020 to PA-460 Migration

Sanjay_Ramaiah — Tue, 20 Jun 2023 07:32:26 GMT

Thank you @PavelK this helped me in the migration and migrated all the locations successfully.

Not sure why i am not able to accept this as a solution.

Re: PA-3020 to PA-460 Migration

aleksandar.astardzhiev — Tue, 20 Jun 2023 08:46:16 GMT

Hey @Sanjay_Ramaiah ,

It looks you have used different account when you first posted your question. I have accepted @PavelK answer as solution on your behalf.