- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-12-2020 09:52 PM
Hi all,
I have a few questions regarding doing a palo to palo migration:
- Are there any best practices for doing a Palo to Palo migration via Expedition
- Is there any difference in uploading an palo config xml to migrate as opposed to API call?
- What parts of a palo config are not migrated through expedition? For example I have noticed zone protection profiles don't migrate
11-13-2020 09:45 AM
Normally, for Palo Alto Networks to Palo Alto Networks migration, you can export the configuration from the old firewall and import and load the configuration to the new firewall. There might be interface renaming needed between different models, you can do a search and replace the interface name in XML file directly.
In terms of the difference when importing the configuration in Expedition, retrieve it directly through API call if you have a direct connection between the PAN-OS device and Expedition. If not, you can manually export the configuration and upload it.
If the zone protection profile is in your original file, it will be migrated.
11-24-2020 02:53 PM
Certificates are another thing that don't exist in Expedition and can't be migrated. For Palo to Palo, I would usually recommend just exporting full xml config and importing into target firewall. Before committing on target firewall, adjust physical devices as needed, especially management and dataplane interfaces. If you have Panorama, even better for the migration since you can leverage device groups and templates. If you need to mix-match stuff in those containers in panorama, expedition is a very helpful tool for that.
11-13-2020 09:45 AM
Normally, for Palo Alto Networks to Palo Alto Networks migration, you can export the configuration from the old firewall and import and load the configuration to the new firewall. There might be interface renaming needed between different models, you can do a search and replace the interface name in XML file directly.
In terms of the difference when importing the configuration in Expedition, retrieve it directly through API call if you have a direct connection between the PAN-OS device and Expedition. If not, you can manually export the configuration and upload it.
If the zone protection profile is in your original file, it will be migrated.
11-24-2020 02:53 PM
Certificates are another thing that don't exist in Expedition and can't be migrated. For Palo to Palo, I would usually recommend just exporting full xml config and importing into target firewall. Before committing on target firewall, adjust physical devices as needed, especially management and dataplane interfaces. If you have Panorama, even better for the migration since you can leverage device groups and templates. If you need to mix-match stuff in those containers in panorama, expedition is a very helpful tool for that.
10-17-2023 01:23 AM
Hi @BenKnorr2 @lychiang I have a follow up question on this one.
I’d like to ask about interface migration using XML file.
Because the port density of PA-460 and PA-3020 is different.
So, we plan to change some interfaces to trunk port.
Area |
PA-3020 |
PA-460 |
WAN Primary |
E1 |
E1 |
LAN |
E2 |
E2 |
WAN Secondary |
E3 |
E3 |
Guest |
E4 |
E4 |
Voice |
E5 |
E5 |
SOC |
E6 |
E6 (Trunk) |
WAN Voice |
E7 |
E6 (Trunk) |
PAM |
E8 |
E6 (Trunk) |
HA 1 |
HA port |
E7 |
HA 2 |
HA port |
E8 |
In that case, what is your recommended procedure?
[example]
1) customize the export xml and import.
2) export and import, ignore error and amend manually.
3) delete the <ethernet> part of xml and add interface manually.
4) using partial import command and add interface manually.
Regards,
Renz
10-17-2023 05:49 AM
Recommend importing the XML file into Expedition 1.0 to remap the interfaces and do some cleanup while you're at it.
12-28-2024 03:59 PM
Export the device-state of the old firewall and import it to the new firewall; check for the interfaces, If it has the same interfaces nothing else is needed to be configured extra, if the number of interface doesn't match, you can add the new interfaces manually...
Importing a device-state is better as sometimes if you go with the just the .merged_running_config of the old firewall the certificate keys may give you some errors when you are committing the changes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!