We got some dreaded news that our colo vendor is not renewing lease and we are now moving.
We have two 3020 firewalls configured in HA.
I am looking for any general comments that could help in my direction.
Anyone have comments from experience?
Solved! Go to Solution.
Once you break HA there is no more Primary/Secondary so I have modified your steps a bit just to be safe.
Hope that makes sense.
Thank you @OtakarKlier
I am wondering if there are an suggestions for editing the config?
After I do a rule cleanup, could use find/replace in config file for public IPs?
Sounds scary, but wondering if most config could be populated that way or other, besides only combing through and changing every rule, etc. manually.
The config is just an xml file soas long as the formatting is correct, a find/replace should work just fine. I would recommen making a copy or two and just have them, but worst case you have the one in the old colo to refer to.
Obivously once you do the find/replace and boot the device, go through the config to make sure its correct and test it out the best you can.
Thank you @OtakarKlier !!!
Yea, would certainly review and test. Trying to have it in place ahead of time and validate what we can before moving all the servers over. We do all our routing through the PA firewall.
I recently moved my company from an owned DC to a CoLo. I did essentially what you documented except used our "OSS" (On-Site Spare).
The set-up was DC 1 <--> DC 2. I prestaged a third 3020 OSS in the new DC (DC 3). I moved HA to DC 2. Went into the Palo portal and said DC 1's FW was "broken" which transferred the licensing and functionality from DC 1 FW to DC 3's FW.
I then HA peered DC 2 and DC 3's FWs. Once that was squared aware I made DC 3's FW active taking over from DC 2.
The whole process took about 45 minutes never creating an outage and we didn't have to go hours running single threaded.
Thank you! @Brandon_Wertz
Nice to have the OSS.
I wonder if I will be able to transfer the Licensing, etc. to our secondary FW when time comes.
We will have downtime since we will be physically moving our servers, etc. I plan to stand up maybe a test web server and cycle through IPs in the new config to get some level of validation before the servers and switches move in.
The licenses should be easy to swap. You could even get your sales team involded, maybe they can give out temp licenses if you need them for a short time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!