MT3.3 with PA-5220 and PANOS 8

L1 Bithead

MT3.3 with PA-5220 and PANOS 8

Hello eveyone.

I'm trying to confirm if I could use MT3.3 to migrate firewalls into a PA-5220, PAN-OS 8.0.7. I understand that I will need a device with those characteristics but MT3.3 only have 5000 and 7000 series. Is it 5220 included in 5000 or has to be 5200 series as expected?

Tags (2)
L2 Linker

Re: MT3.3 with PA-5220 and PANOS 8

The tool will struggle with it, if you want to move forward fast and cannot wait, convert it to a PANOS 7 VM. From there, upgrade it to v8 and export your config, saving your security & NAT policies, objects, zones & router config in the XML. Do the rest manually or figure the syntax differences. I fear that's about the best thing you can do if you need to migrate over to the PANOS 8 platforms at the moment.

L1 Bithead

Re: MT3.3 with PA-5220 and PANOS 8

I just converted CheckPoint config using MT3.3.15 to PA 5220 PAN OS 8.0.7 without any issues. However, I imported partial configs using load partial from migration tool xml output and used base PAN 8.0 base config from PA-5220. I brought security policies, NATs and all the addresse and service objects to Panorama and sent to PA-5220 PAN OS version 8.0 without any issues.

The interfaces, zones, routes were created manually on the devices.

 

Highlighted
L1 Bithead

Re: MT3.3 with PA-5220 and PANOS 8

Hello there. I got lost in this part: "I imported partial configs using load partial from migration tool xml output (...)". Could you explain it a little bit more detailed?

Thanks in advance

L1 Bithead

Re: MT3.3 with PA-5220 and PANOS 8

So, after you generate the xml format of config in migration tool which can be using pan-os 8.0 baseline config for PA-5220 factory config, import that file to Panorama if you re bringing your configs to Panorama.

 

Look at the cheat sheet for partial load of configs below and follow the commands depending on where the source is in my case as the config was based on PAN-OS I take the from-path as palo device hierarchy and in to-path use the panorama device hierarchy. To get the right device hierarchy for your panorama device use the https:/<panoraoma ip>/api link.The order of import should be addresses then address-groups then services service-groups  then applications and then the security rules and then NATs and in case you are bringing any routes then those. Commit

 

Commit after each partial load and you will have configs in Panorama device group all other stuff I do manually on the device like the zones interfaces and the zone names should exactly match what you have in the security policy NAT policy configs

 

Then push configs to devices from Panorama.

 

Hope this helps. There is a lot of documentation on load partial configs and that works great!

 

PAN Commands

Replace instances of "test2.xml" with the filename of the uploaded configuration from the Migration Tool    

Configuraton    Commands
------------    --------
Tag        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/tag to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/tag mode merge    x
Network        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/network/interface to-xpath /config/devices/entry[@name='localhost.localdomain']/network/interface mode merge    
Routes        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/network/virtual-router to-xpath /config/devices/entry[@name='localhost.localdomain']/network/virtual-router mode merge    
Zone        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/zone to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/zone mode merge    
Address        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge    
Address Group    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge    x
Services    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service mode merge    x
Service Group    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service-group mode merge    x
Security Rules    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security mode merge    x
NAT Rules    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/nat to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/nat mode merge    x
                
                
Panorama Commands

Replace instances of "DG5" with the device group you wish to import into    
Replace instances of "TMP2" with the devce template you wish to import to
Replace instalces of "test2.xml" wth the filename of the uploaded configuraton from the migraton tool

Configuration    Commands
-------------    --------
Tag        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/tag to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG5']/tag mode merge    x
Network        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/network/interface to-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TMP2']/config/devices/entry[@name='localhost.localdomain']/network/interface mode merge    x
Routes        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/network/virtual-router to-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TMP2']/config/devices/entry[@name='localhost.localdomain']/network/virtual-router mode merge    x
Zone        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/zone to-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TMP2']/config/devices/entry[@name='localhost.localdomain']/zone mode merge    x
Address        load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG5']/address mode merge    x
Address Group    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG5']/address-group mode merge    x
Services    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG5']/service mode merge    
Service Group    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service-group to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG5']/service-group mode merge    
Security Rules    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG5']/post-rulebase/security mode merge    
NAT Rules    load config partial from test2.xml from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/nat to-xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DG5']/post-rulebase/nat mode merge    
                

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!