Migration from PA-500 to PA-3020

Reply
L3 Networker

Migration from PA-500 to PA-3020

Hi,

I need to migrate from 2 PA-500 firewall in HA to 2 PA-3020 firewall in HA.

Should I use Migration Tool or there is a more simple way?

 

In caso I should use Migration Tool where can I find some sample about migration from PA to PA ?

 

Thanks

Regards

L7 Applicator

Re: Migration from PA-500 to PA-3020

Unless you have set a master key or are running in FIPS mode, you can simply export the configuration file off of the PA-500 and Import it onto the PA-3020 without the need to make any changes, you can then simply load and commit

 


Help the community: Like helpful comments and mark solutions
Reaper out
L3 Networker

Re: Migration from PA-500 to PA-3020

Hi,

I don't think so.

I read this document

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Save-an-Entire-Configuration-for-Imp...

 

here I read

 

"Importing an entire configuration into another Palo Alto Networks device may result of a device failure, replacement, or migration. The device configuration and security policy can be successfully exported and imported between devices as long as the following criteria are met:

  1. Identical hardware model (PA-500 to PA-500, PA-5020 to PA-5020, and so on.)
    • Importing configurations between non-matching hardware versions is not currently supported.
  2. Identical major PAN-OS version (4.1.x to 4.1.x, 5.0.x to 5.0.x and 6.0.x)
    • To import the configuration, upgrade the device to the same PAN-OS version prior to import."

 

L7 Applicator

Re: Migration from PA-500 to PA-3020

the major OS version needs to match, but as long as you're going up in model versions, especially from an 8 port PA-500 to a 12 + 4 port PA-3020, there should not be an issue (since the configuration on the 8 copper ethernet ports will seemlessly be supported on the PA-3020's 12 copper ethernet ports)

 

if you transport config from a PA-5050 to a PA-500, there could obviously be issues as the config may contain elements the smaller chassis does not comprehend

 


Help the community: Like helpful comments and mark solutions
Reaper out
L5 Sessionator

Re: Migration from PA-500 to PA-3020

It may result in failure in some cases (non matching interfaces etc.). But in majority cases it will work, just stick to same PAN-OS version when migrating (upgrade after migration if needed).

And if PA-3020 is new and not in production you can't cause any harm anyway. Just import it and see if any errors are reported. 

L3 Networker

Re: Migration from PA-500 to PA-3020

Thank you very much.

I'll try

L1 Bithead

Re: Migration from PA-500 to PA-3020

I am planning to work on the same migration (two PA500 and two PA3020 running HA). Did you run into any issue due to not having designated HA ports on the PA500 vs the PA3020? Did you run into any other issue not mentioned here?

L0 Member

Re: Migration from PA-500 to PA-3020

Hi,

no issues at all

All worked perfectly

Highlighted
L3 Networker

Re: Migration from PA-500 to PA-3020

Hi,

no issues at all.

All worked perfectly

L1 Bithead

Re: Migration from PA-500 to PA-3020

Thank you!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!