https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1238002#M125137 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/272386">@ademo-user25</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>To me your approach looks good. If you do not mind setting up new Firewall pair with new management interface IP addresses (The rest of the configuration can be identical with original Firewalls), you could save time during cut over on initial tasks like downloading licenses and forming HA.</P> <P>&nbsp;</P> <P>Also, you might have to clear ARP records in your Layer 3 switches during cut over to new Firewalls. This scenario would come when GARP does not work to update ARP entries with new IP/MAC mapping.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Mon, 15 Sep 2025 22:56:17 GMT PavelK 2025-09-15T22:56:17Z https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1237901#M125115 <P>Hi All,</P> <P>I need to replace 3220 in HA to 1420 in HA.</P> <P>- The 3220 running 11.1.3-h3</P> <P>- I installed 11.1.3-h3 on the new 1420s.</P> <P>- Installed the same version of the apps and threats.</P> <P>- exported the running config from the 3220</P> <P>- imported the config to the 1420 and ran a commit.</P> <P>&nbsp;</P> <P>I read that i cannot run the HA with different platforms. Is there a way to do a 0 downtime or only hard cutover to the new HA?</P> Sat, 13 Sep 2025 19:28:02 GMT https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1237901#M125115 ademo-user25 2025-09-13T19:28:02Z https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1237909#M125118 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/272386">@ademo-user25</a></P> <P>&nbsp;</P> <P>thanks for posting!</P> <P>&nbsp;</P> <P>To form HA both Firewalls must be the same HW models:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/set-up-activepassive-ha/prerequisites-for-activepassive-ha" target="_self">Prerequisites for Active/Passive HA</A>.</P> <P>&nbsp;</P> <P>I have done Data Center Firewall migration before with minimal downtime. Could you please refer to this thread:&nbsp;<A href="https://live.paloaltonetworks.com/t5/panorama-discussions/palo-alto-5020-migrate-to-5220-from-panorama/td-p/487516" target="_self">PALO ALTO 5020 migrate to 5220 from Panorama?</A></P> <P>You can skip points No.1 and 2. Also, if you can include more details about your environment it would make it easier and more accurate to answer you.&nbsp;</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;&nbsp;</P> Sun, 14 Sep 2025 07:14:16 GMT https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1237909#M125118 PavelK 2025-09-14T07:14:16Z https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1237913#M125119 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;,</P> <P>Thanks for the reply.</P> <P>We have very simple configuration of 2 firewalls in HA. We want to keep the same configuration, IP etc. just with the new hardware.</P> <P>No Panorama.</P> <P>We mounted the new firewalls next to the old firewalls.</P> <P>I've done it on other firewalls but this is the first time i replace palo alto hardware so i am not sure what behavior to expect.</P> <P>my plan is:</P> <P>1. disable preemptive</P> <P>2. move cables from old firewall2 to new firewall2: i am expecting the firewall to be able to see each other but not be a working HA</P> <P>3. allow new firewall2 to download and activate license from license center.</P> <P>3. make new firewall2 active. i am expecting to be able to just click for a failover but will disconnect old firewall1 if not.</P> <P>4. after sanity tests, move cables from old firewall1 to new firewall1.</P> <P>5. allow new firewall1 to download and activate license from license center.</P> <P>6. at this point im expecting to see a healthy ha pair.</P> <P>7. failover to new firewall1</P> <P>8. run sanity tests</P> <P>9. reactivate preemptive.</P> <P>&nbsp;</P> <P>This way i am hoping to have no downtime during the replacement.</P> Sun, 14 Sep 2025 09:47:19 GMT https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1237913#M125119 ademo-user25 2025-09-14T09:47:19Z https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1238002#M125137 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/272386">@ademo-user25</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>To me your approach looks good. If you do not mind setting up new Firewall pair with new management interface IP addresses (The rest of the configuration can be identical with original Firewalls), you could save time during cut over on initial tasks like downloading licenses and forming HA.</P> <P>&nbsp;</P> <P>Also, you might have to clear ARP records in your Layer 3 switches during cut over to new Firewalls. This scenario would come when GARP does not work to update ARP entries with new IP/MAC mapping.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Mon, 15 Sep 2025 22:56:17 GMT https://live.paloaltonetworks.com/t5/general-topics/replacing-ha-hardware/m-p/1238002#M125137 PavelK 2025-09-15T22:56:17Z