Migration from 5050 to 5220

Reply
L0 Member

Migration from 5050 to 5220

Dear All,

In our Current setup PA 5050 with Active/standby having a PAN-OS version 8.1, and now we have purchased 5220 (two boxes ) We would like to Migrate configuration to new Devices, what steps i have to follow for proper migration 

need your suggestions 

 

 

L4 Transporter

Re: Migration from 5050 to 5220

Use PANOS itself to load the config.

 

Export the config from one device as XML and import it on the second.

 

When migrating from one PANOS device to one PANOS device, with no more modifications required, the best approach is to use PANOS itself with the load config options.

 

L0 Member

Re: Migration from 5050 to 5220

But how will this work with the interface differences and management/HA interface IPs. For instance, I have a pair live on a management network. If I were to import the snapshot I worry that there would be an IP conflict on the management network. In addition, the prod interfaces are not the same so I wanted to omit those configurations. I manually edited the .xml in Notepad++ to omit the HA and prod interfaces but when I go to import it gives me an error that the configuration is malformed. Thoughts?

L2 Linker

Re: Migration from 5050 to 5220

Directly editing the XML is probably not the first thing you want to try, unless you are comfortable with the structure and nature fo the XML document that is the PAN-OS configuration.  

 

I suggest you load this into the expedition tool.  Use the tool to re-map your interfaces. generate the output, import, then load the file.

 

Remember that when you load the file from the operational dialog you are loading it into the candidate configuration.  Once loaded you will still have access and the ability to change the configuration.  So at this point update the management IP and any other conflicting configuration that you are concerned about.

 

Then run your commit and work through any issues. 

 

Directly editing the XML should be the last gasp attempt, it is easy to invalidate the configuration and get errors when you load the modified configuration. 

 

You can also get errors when you attempt to commit that cannot be seen or resolved through the GUI or CLI.  Those ones are particularly entertaining, as you need to go back in, try to find the issue correct it...  You get the idea, the short story here is to avoid directly editing the XML configuration. 

 

I'm not saying that you can't only that it is not for the faint of heart. 

 

L0 Member

Re: Migration from 5050 to 5220

Hey thanks for the reply. So I worked with Palo and did some tweaking in the .xml and I'm still getting HA errors for configurations that are not present in the snapshot....I'm thinking the best bet is to delete the HA configs altogether in the .xml before importing it and building HA from scratch.

I've got 5050 in Expedition now but I couldn't get anywhere and can't find any sort of guide for hardware upgrades.

Also, can you provide a little detail on how to edit the candidate config in once you load the config/before committing? (At least I think that's what you were describing)

Thanks again

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!