Moving one interface of PA cluster on new fabric


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L0 Member

Moving one interface of PA cluster on new fabric

Hello Guys,


I am in the middle of preparation for moving one interface of PA cluster to new fabric. I would like to ask you for best approach to minimize the impact(no impact would be best). Appreciate any input.

My plan is now as follows:

1, Take configuration snapshot of Both members and import it to my local pc.

2, Uncheck the 'Enable config sync' under the Device>HA>General on both members and commit.

(My question here is, should I also click 'Suspend local device' on passive member? To prevent some unwanted failover. Would the members ne able to sync the session table after switching it on again?)

3, Starting work on Passive member. I already pre-configured Aggregate interface group with some interfaces inside. So I will create subinterface with Vlan, Zone, IPv4 and commit. 

4. I will try ping next hop for the interface/subnet I created.

Now, here starts where I am not sure:

5. Next based on if 'Suspend local device' was used, I will either click 'Make local device functional' or if member was whole time active under cluster, I will switch to active member and initiate the failover. My question is, based on my plan, will the failover succeed? 

6. Move configure the interface on old active, now passive member.


Forgot to add that I will also change the static routes via CLI so they point to new interface:

set network virtual-router default routing-table ip static-route "Route_1" interface ae1.300

And before committing the new interface configuration, I will delete the old interface configuration and old static routes.

After commit I will connect to CLI and paste static routes again with changed interface name/type. Going from ethernet1/10 to ae1.300 interface.




Cyber Elite


Sounds like you are planning correctly. IS this to replace the current HA pair? If the PAN's are different models make sure they are on the same code version and then it makes its super easy with exporting the config and importing into the new pair and then moving the cables.


Also i would suggest this be done in a maintenance window where downtime can be tolerated.


L0 Member

Today, we are in the digital era. Scores of people are getting access to the internet by the minute. Thus, there is a need to uniquely identify each device that is a member of the internet. An IP address is something that helps with the same.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!