topic Re: Replace a PA-3060 with a PA-5220 keeping configuration the same in General Topics

Replace a PA-3060 with a PA-5220 keeping configuration the same

kardasopoulos1 — Wed, 19 Jul 2017 20:54:56 GMT

We are replacing a 3060 with a 5220 , I do understand that Tech Support dosen't recommend to move configuration file

between two different models.

Are there any items that can be transferred , and not have to recreate all of it ?

Thanks

Re: Replace a PA-3060 with a PA-5220 keeping configuration the same

TranceforLife — Wed, 19 Jul 2017 21:40:47 GMT

Hi,

I believe you still can do it (it never hurts to try 😄 )

Make sure:

1) Both units are on the same PAN-OS release before exporting the existing config from the 3060 device

2) Both units have the same licences

3) If interfaces name/mapping are different you might need to modify .xml file manually, save it and import it into the new 5020 unit.

4) Validate config before commit with "Validate Commit" option.

If there are any errors, export candidate config in .xml file from 5020 unit and modify it again. Repeat the process until you can successfully validate the config then do a "commit"

I have done this before (between other mdels), so it should work for you too

Re: Replace a PA-3060 with a PA-5220 keeping configuration the same

jvalentine — Wed, 19 Jul 2017 21:47:17 GMT

I've done this recently. The two areas you'll likely run into problems: 1.) High Availability configuration. The 5220 uses the HSCI port for HA2/HA3 traffic, where the 3060 used dedicated HA2 interfaces for session-sync, and dataplane interfaces for HA3 traffic.

Also, the 5220 requires one of the dataplane ports to be configured as a "Log Interface" for external log forwarding.

Other than that, most of the other things seemed to transfer over just fine.

I took a slightly different approach, I took a 5220 "empty" configuration as a base configuration, and then cut things out of the older firewall's .xml config file and pasted it into the 5200's config file. It wasn't too much work... Didn't have to touch firewall objects, or policies, etc. Those were exactly the same.

Re: Replace a PA-3060 with a PA-5220 keeping configuration the same

Inamul — Tue, 13 Feb 2018 20:23:31 GMT

Can someone confirm that 5220 requires HSCI port for data link between both firewalls in Active/Passive configuration. I am trying to configure using the HA2 port but I do not even have option other than HSCI.

Re: Replace a PA-3060 with a PA-5220 keeping configuration the same

Remo — Tue, 13 Feb 2018 21:08:29 GMT

If you want to use the management plane for HA2, then yes, you have to use HSCI.

The other possibility is that you use a dataplane port and configure it as Type HA. As soon as you do that you could choose that port in the HA configuration.

Re: Replace a PA-3060 with a PA-5220 keeping configuration the same

BatD — Thu, 28 Jun 2018 08:42:55 GMT

Hi, when you said: " 5220 requires one of the dataplane ports to be configured as a "Log Interface" - is this a requirement or option? I could not find anything in the 5220 documentation. I am planning 5220 and this will be big difference. Can the log forwarding be done over the Management interface?

Re: Replace a PA-3060 with a PA-5220 keeping configuration the same

BPry — Thu, 28 Jun 2018 14:44:44 GMT

@BatD,

Log Forwarding by default is done by the management interface. The PA-5220 can forward logs via a different interface by configuring a Service Route. I believe that that part of the answer isn't correct, you don't need any special 'Log Interface' unless you are using a 7000 series chassis.