Restoring Configuration Between Platforms?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Restoring Configuration Between Platforms?

L1 Bithead

Is it possible to restore a backup configuration from say a PA5000 series to a PA3000 series?  I know there are obviously interface differences between the platforms, and I couldn't find any recent documentation explaining if this is possible.

 

Thank you.

9 REPLIES 9

L7 Applicator

Yes, it is possible to move configurations between different models of firewalls.  There are some cases, where there will be differences in the configs that must be modified first, such as Interface #s, HA ports, etc,.

 

There will be some other considerations when taking a config from one platform to a smaller one.  The higher-end devices support more objects, zones, policies, routes, tunnels, etc.  As long as you're not exceeding the capacity of the smaller device, you should be good.

 

If you run into any problems, you can edit the .xml config from the larger device, resolve the issue, save the new config, and then import into smaller one.  

 

Good luck!

In that case, do we need to manually edit the XML file to remove things such as interfaces that don't exist?  Are there other areas that would need to be edited as well? 

 

I don't anticipate an issues with the number of objects, zones, policies, etc.

You'll import the config and then commit.  If the commit fails, you'll get an error message pointing out what is wrong with the config.  At that point you can edit the XML, re-import/commit and go from there.  

L2 Linker

I think you can do this a bit more easily with the migration tool as well - I haven't tried it myself, but its worth a shot.

 

- sometimes working w/ the XML can be a bit much. And in some cases you can corrupt the XML file. (FYI)

 

The migration tool can be found here, its a great tool:

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582

L7 Applicator

I have done this type of migration by editing the XML as we had different models in the Lab and production in that environment.

 

The difference between the platforms will be the interface name assignments.  The technique is the create a mapping document for yourself that shows the config current interface name and the destination device interface name.

 

You then use a basic text only editor (nothing that does any RTF formating at all) and do a global search and replace for the interface names.

 

You then import the modified config into the new device.

 

This gets tricker when you are doing partial loads as you then also need to be sure you don't have other overlapping names or objects to contend with.  And in this case you upload the config and use the load partial commands on the cli to pull in the sections you want only.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Is the migration tool still available and able to migrate to a PA-460? The link above goes to a access denied page. 

Cyber Elite
Cyber Elite

Hello,

Yes it is, just changed names. Its now called Expedition. I havent used it nor a 440, however PAN is good at keeping new technologies in the mix.

https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

 

Cheers!

I think the issue is that the PA-400s can only run on 10.1 or newer code and the other PA is running 9.0 code. If that is not an issue I might try this for sure. 

Cyber Elite
Cyber Elite

Hello,

Should be an issue. its just any new features in the newer OS wont be enabled or configured correctly. Its more of an issue if going backwards.

Regards,

  • 5637 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!