07-11-2024 08:34 AM
I'm attempting to use Expedition to merge the config from our PA-3050 (PAN-OS 9.1.x) into the config for a PA-1420 (PAN-OS 11.0.x). The problem is that the vsys1 components aren't transferring across.
Can anyone guide me through what I need to do to get this merge working in Expedition? Thanks in advance.
Base config: PA-1420_base.xml
Config to migrate: drfw_20240711.xml
After hitting the Merge button go to the Devices section and view the now updated PA-1420 config: It doesn't show the interfaces, virtual wires or virtual routers:
Those components are still shown in the config from the PA-3050 that I'm trying to migrate:
For the record this is a screenshot of the configs after I've imported them but before making any changes:
And this is a screenshot after I've dragged the components across just prior to hitting the Merge button:
07-12-2024 01:22 AM
Hi @Kevin_Clark
Thanks for reaching out.
Expedition tool is intended to help on migrations from 3rd party vendors and also to optimise the security posture on a PANOS device.
The migration you are describing could be done using PANOS features as export and import from old to new devices (you may need to update networking information and VPN configuration). Once you have your configuration pushed to your new device you can download it to Expedition and do some optimisation like removing duplicates and merging similar policies among other features Expedition can help.
Said that, if you still want to use Expedition for that please check the file /tmp/error after doing the merge and share it with me using the email fwmigrate@paloaltonetworks.com
Hope this helps,
David
07-12-2024 01:22 AM
Hi @Kevin_Clark
Thanks for reaching out.
Expedition tool is intended to help on migrations from 3rd party vendors and also to optimise the security posture on a PANOS device.
The migration you are describing could be done using PANOS features as export and import from old to new devices (you may need to update networking information and VPN configuration). Once you have your configuration pushed to your new device you can download it to Expedition and do some optimisation like removing duplicates and merging similar policies among other features Expedition can help.
Said that, if you still want to use Expedition for that please check the file /tmp/error after doing the merge and share it with me using the email fwmigrate@paloaltonetworks.com
Hope this helps,
David
07-12-2024 07:51 AM
Thanks, David.
I'm pleased to report that the import of the config from our PA-3050 (PAN-OS 9.1.x) into our new PA-1420 (PAN-OS 11.0.x) was successful. Thank you for this recommendation.
Kevin
11-21-2024 01:03 PM
Do you mind sharing the steps that you did?
Did you still use the expedition or config export/import method?
I'm in the same boat trying to migrate from 3020 (9.x) to 1420 (11.x).
I greatly appreciate your feedback.
11-22-2024 12:47 AM
@iamxCPx I didn't end up using Expedition to make the config changes because it turned out to be relatively straightforward to edit the XML file, and then validate those changes in the web UI before committing them.
1. Exported the config from the 3050
2. Modifications to the XML in a text editor, e.g. changed the interface references to what they needed to be on the 1420, set the management interface to the temporary IP address for the 1420
3. Import the XML on the 1420
4. Commit -> Validate to see what errors it spits out, e.g.
5. Edit the XML to correct the errors
6. Repeat steps 2-5 until no more validation errors
11-22-2024 10:20 AM
Thank you for this.
I have more questions if you don't mind.
Did you do this after you set up the licenses and upgraded to the latest software version on the 1420?
I haven't connected the 1420 live to the internet. At the moment, I am only connected to the management port.
I wonder if the import will fail if it does not have the same licenses on the 1420.
TIA.
11-22-2024 11:36 AM
It looks like he had not yet installed the licenses, that is why he got an error about "'panw-known-ip-list' is not an allowed keyword". No big deal, but with the licenses installed and content updated first, the PA firewall will have its EDL's downloaded and won't give this error.
For me, the best practice is to:
1. Connect mgt interface on new firewall, get dns to work, fetch licenses, obtain content updates.
2. Get PAN-OS to same level as prior firewall or upgrade prior firewall to catch up. The closer the better but they don't need to be exact.
3. Export running config of old firewall, e.g. save file on disk "PA3050-config.xml".
4. On new firewall, save named config snapshot "PA1410-original". Import "PA3050-config.xml" to new firewall. Load config. Look it over. (I have never had to edit the xml file first) but I agree with the above last 3 steps, reposted below.
To answer your question, import or load will not fail if licenses don't match, but possibly the validation or commit could fail, which you can tweak before successful commit.
5. Commit -> Validate to see what errors it spits out, e.g.
6. Edit the XML to correct the errors
7. Repeat steps 2-5 until no more validation errors
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
