Migrating from PA-200 to 220 with HA

Reply
Highlighted
L0 Member

Migrating from PA-200 to 220 with HA

Hi all,

 

I am trying to migrate one of our customers from a PA-200 to a PA-220 AND add create an HA cluster with active/passive configuration with two PA-220's

 

I was wondering, what approach would you take in regard to achieving the above outcome?

 

1. Would you first configure the PA-220 in an HA configuration then migrate the configuration to the primary/active firewall in the HA cluster and perform a synchronization?

OR

2. Would you first migrate the configuration from the 200 to 220, confirm the configuration is restored correctly and then setup the HA Cluster?

 

Any help would be appreciated. Even if you could point me to some resources I could use, that would be very helpful. I've gone through a few guides and videos on how to configure HA Cluster but trying to figure out the best and the safest approach to achieve this.

 

Regards,

 

L7 Applicator

Re: Migrating from PA-200 to 220 with HA

  1. Basic setup for the first PA-220 (MGMT Interface, Licenses, Dynamic Updates)
  2. Export the config from the PA-200 and import it to the PA-220. Before you commit make sure that you change the mgmt IP to the one set in step 1 (so that you don't have two devices with the same ip)
  3. Set up HA on the first PA-220
  4. Set up HA on the second PA-220
  5. Do a configuration sync from the first to the second PA-220
  6. ... and you should be good to go to replace the PA-200 with the PA-220 cluster

(this assumes that you will use the same dataplane interfaces on the pa-220 as on the pa-200)

L7 Applicator

Re: Migrating from PA-200 to 220 with HA

@MihirL,

Exactly as @vsys_remo mentioned. Since your not going to a different series where your interfaces change I'm assuming that everything will stay exactly the same on the 220 as it was configured on the 200. 

Just to make the import easier and lessen any issues, get both devices on the same PAN-OS version prior to doing the configuration export/import process. So essentially upgrade the PA-200 to whatever version you're going to start out with on the PA-220, and then do the import/export.

 

The only caviat to this process is if you've changed the master key on your old unit (and you should have), the phash values and other encrypted elements of the configuration aren't going to match anymore. To fix this the PA-220 will need to have the same master key or you'll want to ensure that you create a new user before committing the imported configuration so that you have a superuser account you can actually login to and get the imported users to change there passwords. 

L0 Member

Re: Migrating from PA-200 to 220 with HA

@vsys_remo Thank you. I will follow this process.

@BPry Thank you for pointing this out. Will make sure that we have a superuser account configured on the 220 to have full access to the devices.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!