Migrating PA-3050 to PA-1420

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrating PA-3050 to PA-1420

L1 Bithead

I'm attempting to use Expedition to merge the config from our PA-3050 (PAN-OS 9.1.x) into the config for a PA-1420 (PAN-OS 11.0.x). The problem is that the vsys1 components aren't transferring across.

 

Can anyone guide me through what I need to do to get this merge working in Expedition? Thanks in advance.

 

Base config: PA-1420_base.xml

Config to migrate: drfw_20240711.xml

 

After hitting the Merge button go to the Devices section and view the now updated PA-1420 config: It doesn't show the interfaces, virtual wires or virtual routers:

 

Screenshot 2024-07-11 at 16.12.29.png

Those components are still shown in the config from the PA-3050 that I'm trying to migrate:

 

Screenshot 2024-07-11 at 16.12.43.png

For the record this is a screenshot of the configs after I've imported them but before making any changes:

 

Screenshot 2024-07-11 at 16.10.44.png

And this is a screenshot after I've dragged the components across just prior to hitting the Merge button:

 

Screenshot 2024-07-11 at 16.11.16.png

1 accepted solution

Accepted Solutions

L4 Transporter

Hi @Kevin_Clark 

 

Thanks for reaching out.

 

Expedition tool is intended to help on migrations from 3rd party vendors and also to optimise the security posture on a PANOS device.

The migration you are describing could be done using PANOS features as export and import from old to new devices (you may need to update networking information and VPN configuration). Once you have your configuration pushed to your new device you can download it to Expedition and do some optimisation like removing duplicates and merging similar policies among other features Expedition can help.

 

Said that, if you still want to use Expedition for that please check the file /tmp/error after doing the merge and share it with me using the email fwmigrate@paloaltonetworks.com

 

Hope this helps,

 

David

View solution in original post

6 REPLIES 6

L4 Transporter

Hi @Kevin_Clark 

 

Thanks for reaching out.

 

Expedition tool is intended to help on migrations from 3rd party vendors and also to optimise the security posture on a PANOS device.

The migration you are describing could be done using PANOS features as export and import from old to new devices (you may need to update networking information and VPN configuration). Once you have your configuration pushed to your new device you can download it to Expedition and do some optimisation like removing duplicates and merging similar policies among other features Expedition can help.

 

Said that, if you still want to use Expedition for that please check the file /tmp/error after doing the merge and share it with me using the email fwmigrate@paloaltonetworks.com

 

Hope this helps,

 

David

L1 Bithead

Thanks, David. 

 

I'm pleased to report that the import of the config from our PA-3050 (PAN-OS 9.1.x) into our new PA-1420 (PAN-OS 11.0.x) was successful. Thank you for this recommendation. 

 

Kevin

 

 

L1 Bithead

@Kevin_Clark 

 

Do you mind sharing the steps that you did?

Did you still use the expedition or config export/import method?

I'm in the same boat trying to migrate from 3020 (9.x) to 1420 (11.x).

 

I greatly appreciate your feedback. 

 

L1 Bithead

@iamxCPx I didn't end up using Expedition to make the config changes because it turned out to be relatively straightforward to edit the XML file, and then validate those changes in the web UI before committing them.

 

1. Exported the config from the 3050

2. Modifications to the XML in a text editor, e.g. changed the interface references to what they needed to be on the 1420, set the management interface to the temporary IP address for the 1420

3. Import the XML on the 1420

4. Commit -> Validate to see what errors it spits out, e.g.

  • Validation Error:
  • rulebase -> security -> rules -> Block Known Malicious Dynamic -> destination 'panw-known-ip-list' is not an allowed keyword
  • rulebase -> security -> rules -> Block Known Malicious Dynamic -> destination panw-known-ip-list is an invalid ipv4/v6 address

5. Edit the XML to correct the errors

6. Repeat steps 2-5 until no more validation errors

Thank you for this.

 

I have more questions if you don't mind.

Did you do this after you set up the licenses and upgraded to the latest software version on the 1420?

I haven't connected the 1420 live to the internet. At the moment, I am only connected to the management port. 

I wonder if the import will fail if it does not have the same licenses on the 1420. 

 

TIA.

 

It looks like he had not yet installed the licenses, that is why he got an error about "'panw-known-ip-list' is not an allowed keyword". No big deal, but with the licenses installed and content updated first, the PA firewall will have its EDL's downloaded and won't give this error.

 

For me, the best practice is to:

1. Connect mgt interface on new firewall, get dns to work, fetch licenses, obtain content updates.

2. Get PAN-OS to same level as prior firewall or upgrade prior firewall to catch up. The closer the better but they don't need to be exact.

3. Export running config of old firewall, e.g. save file on disk "PA3050-config.xml".

4. On new firewall, save named config snapshot "PA1410-original". Import "PA3050-config.xml" to new firewall. Load config. Look it over. (I have never had to edit the xml file first) but I agree with the above last 3 steps, reposted below.

 

To answer your question, import or load will not fail if licenses don't match, but possibly the validation or commit could fail, which you can tweak before successful commit.

5. Commit -> Validate to see what errors it spits out, e.g.

  • Validation Error:
  • rulebase -> security -> rules -> Block Known Malicious Dynamic -> destination 'panw-known-ip-list' is not an allowed keyword
  • rulebase -> security -> rules -> Block Known Malicious Dynamic -> destination panw-known-ip-list is an invalid ipv4/v6 address

6. Edit the XML to correct the errors

7. Repeat steps 2-5 until no more validation errors

  • 1 accepted solution
  • 1361 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!