Restoring Configuration Between Platforms?

Reply
L1 Bithead

Restoring Configuration Between Platforms?

Is it possible to restore a backup configuration from say a PA5000 series to a PA3000 series?  I know there are obviously interface differences between the platforms, and I couldn't find any recent documentation explaining if this is possible.

 

Thank you.

L7 Applicator

Re: Restoring Configuration Between Platforms?

Yes, it is possible to move configurations between different models of firewalls.  There are some cases, where there will be differences in the configs that must be modified first, such as Interface #s, HA ports, etc,.

 

There will be some other considerations when taking a config from one platform to a smaller one.  The higher-end devices support more objects, zones, policies, routes, tunnels, etc.  As long as you're not exceeding the capacity of the smaller device, you should be good.

 

If you run into any problems, you can edit the .xml config from the larger device, resolve the issue, save the new config, and then import into smaller one.  

 

Good luck!

Highlighted
L1 Bithead

Re: Restoring Configuration Between Platforms?

In that case, do we need to manually edit the XML file to remove things such as interfaces that don't exist?  Are there other areas that would need to be edited as well? 

 

I don't anticipate an issues with the number of objects, zones, policies, etc.

L7 Applicator

Re: Restoring Configuration Between Platforms?

You'll import the config and then commit.  If the commit fails, you'll get an error message pointing out what is wrong with the config.  At that point you can edit the XML, re-import/commit and go from there.  

L2 Linker

Re: Restoring Configuration Between Platforms?

I think you can do this a bit more easily with the migration tool as well - I haven't tried it myself, but its worth a shot.

 

- sometimes working w/ the XML can be a bit much. And in some cases you can corrupt the XML file. (FYI)

 

The migration tool can be found here, its a great tool:

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582

L7 Applicator

Re: Restoring Configuration Between Platforms?

I have done this type of migration by editing the XML as we had different models in the Lab and production in that environment.

 

The difference between the platforms will be the interface name assignments.  The technique is the create a mapping document for yourself that shows the config current interface name and the destination device interface name.

 

You then use a basic text only editor (nothing that does any RTF formating at all) and do a global search and replace for the interface names.

 

You then import the modified config into the new device.

 

This gets tricker when you are doing partial loads as you then also need to be sure you don't have other overlapping names or objects to contend with.  And in this case you upload the config and use the load partial commands on the cli to pull in the sections you want only.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!