Is it possible to restore a backup configuration from say a PA5000 series to a PA3000 series? I know there are obviously interface differences between the platforms, and I couldn't find any recent documentation explaining if this is possible.
Yes, it is possible to move configurations between different models of firewalls. There are some cases, where there will be differences in the configs that must be modified first, such as Interface #s, HA ports, etc,.
There will be some other considerations when taking a config from one platform to a smaller one. The higher-end devices support more objects, zones, policies, routes, tunnels, etc. As long as you're not exceeding the capacity of the smaller device, you should be good.
If you run into any problems, you can edit the .xml config from the larger device, resolve the issue, save the new config, and then import into smaller one.
In that case, do we need to manually edit the XML file to remove things such as interfaces that don't exist? Are there other areas that would need to be edited as well?
I don't anticipate an issues with the number of objects, zones, policies, etc.
You'll import the config and then commit. If the commit fails, you'll get an error message pointing out what is wrong with the config. At that point you can edit the XML, re-import/commit and go from there.
I think you can do this a bit more easily with the migration tool as well - I haven't tried it myself, but its worth a shot.
- sometimes working w/ the XML can be a bit much. And in some cases you can corrupt the XML file. (FYI)
The migration tool can be found here, its a great tool:
I have done this type of migration by editing the XML as we had different models in the Lab and production in that environment.
The difference between the platforms will be the interface name assignments. The technique is the create a mapping document for yourself that shows the config current interface name and the destination device interface name.
You then use a basic text only editor (nothing that does any RTF formating at all) and do a global search and replace for the interface names.
You then import the modified config into the new device.
This gets tricker when you are doing partial loads as you then also need to be sure you don't have other overlapping names or objects to contend with. And in this case you upload the config and use the load partial commands on the cli to pull in the sections you want only.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!