Lately a few customers are planning an upgrade from 3000 to the new 3200 and 5200. Often they run 7.1.x and the new platforms only support 8.1.x. Normally these are high sensitive environments and the request is to shift the existing configuration with as little change as possible to reduce impact and upgrading the old firewalls before the upgrade is not an option.
My first thought was using the Migration Tool. However looks like the tools has not been updated much lately, I guess because the effort is on Expedition and I am worried about incompatibilities between the Migration Tool and PanOS 8.1 and the 3200 and 5200 platforms.
Another other option would be taking the old config file and loading it full or partial, but there could be some incompatibilities between PanOS 7.1 and 8.1.
Can you please share any experience and ideas on doing the migrations?
Solved! Go to Solution.
Then you probably have to migrate this config manually and hope for the best :P
I have done something like that only with panorama so I have no real experience with your situation.
Things like the policy and opjects aren't that different in the config-xml, the same with network configuration. In the deviceconfig (and also in the other parts) there are new things to configure but in general it will also work without having them configured. As it will be a try&error process anyway with a migration from 7.1 to 8.1, the easyiest way is to export and import the config and check for errors when you try to commit.
Thanks for that. I was hoping if someone can help with better advise than "hope for the best". The load config and clearing erros method would work on small config, but can be difficult in large deployements and it is not very reassuring for a large customer.
Here are some other methods (until someone writes in the community who already solved your problem):
All in all the try&error methof probably isn't that bad. Of course this needs some time, but as the new hardware should already be there ... and after the first one, you probably know what to check and the remaining ones will be easier...
How confortable are you working on the actual XML configuration file, because to the best of my knowledge this is going to be a manual conversion if you can't get them to upgrade there box. The manual process is relatively seemless if you understand how the XML config is actually put together and have a rough understanding of how it gets parsed.
I would recommend doing as much of the migration manually and doing as much verification as possible. Then when it comes to actually migrating traffic over to the new box scheduling a larger maintenance window. If the firewall is in an HA pair, then you can easily do this without risking too much, as you always have the option of simply failing back to the old firewall if needed until you can fine-tune the configuration.
Really though the manual process and a good review period should prevent any issues for something like this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!