Palo to Palo migration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo to Palo migration

L0 Member

Hi all,

 

I have a few questions regarding doing a palo to palo migration:

- Are there any best practices for doing a Palo to Palo migration via Expedition

- Is there any difference in uploading an palo config xml to migrate as opposed to API call?

- What parts of a palo config are not migrated through expedition? For example I have noticed zone protection profiles don't migrate

2 accepted solutions

Accepted Solutions

L6 Presenter

Hi @AurelioTassone 

Normally, for Palo Alto Networks to Palo Alto Networks migration, you can export the configuration from the old firewall and import and load the configuration to the new firewall. There might be interface renaming needed between different models, you can do a search and replace the interface name in XML file directly.  

 

In terms of the difference when importing the configuration in Expedition, retrieve it directly through API call if you have a direct connection between the PAN-OS device and Expedition. If not, you can manually export the configuration and upload it.

 

If the zone protection profile is in your original file, it will be migrated. 

View solution in original post

L2 Linker

Certificates are another thing that don't exist in Expedition and can't be migrated. For Palo to Palo, I would usually recommend just exporting full xml config and importing into target firewall. Before committing on target firewall, adjust physical devices as needed, especially management and dataplane interfaces. If you have Panorama, even better for the migration since you can leverage device groups and templates. If you need to mix-match stuff in those containers in panorama, expedition is a very helpful tool for that.

View solution in original post

4 REPLIES 4

L6 Presenter

Hi @AurelioTassone 

Normally, for Palo Alto Networks to Palo Alto Networks migration, you can export the configuration from the old firewall and import and load the configuration to the new firewall. There might be interface renaming needed between different models, you can do a search and replace the interface name in XML file directly.  

 

In terms of the difference when importing the configuration in Expedition, retrieve it directly through API call if you have a direct connection between the PAN-OS device and Expedition. If not, you can manually export the configuration and upload it.

 

If the zone protection profile is in your original file, it will be migrated. 

L2 Linker

Certificates are another thing that don't exist in Expedition and can't be migrated. For Palo to Palo, I would usually recommend just exporting full xml config and importing into target firewall. Before committing on target firewall, adjust physical devices as needed, especially management and dataplane interfaces. If you have Panorama, even better for the migration since you can leverage device groups and templates. If you need to mix-match stuff in those containers in panorama, expedition is a very helpful tool for that.

L2 Linker

Hi @BenKnorr2 @lychiang I have a follow up question on this one. 

 

I’d like to ask about interface migration using XML file.

 

Because the port density of PA-460 and PA-3020 is different.

So, we plan to change some interfaces to trunk port.

Area

PA-3020

PA-460

WAN Primary

E1

E1

LAN

E2

E2

WAN Secondary

E3

E3

Guest

E4

E4

Voice

E5

E5

SOC

E6

E6 (Trunk)

WAN Voice

E7

E6 (Trunk)

PAM

E8

E6 (Trunk)

HA 1

HA port

E7

HA 2

HA port

E8

 

In that case, what is your recommended procedure?

[example]

1) customize the export xml and import.

2) export and import, ignore error and amend manually.

3) delete the <ethernet> part of xml and add interface manually.

4) using partial import command and add interface manually.

 

Regards,

Renz

Recommend importing the XML file into Expedition 1.0 to remap the interfaces and do some cleanup while you're at it. 

Douglas Elliott
Security Implementation Engineer
delliott@sayers.com
  • 2 accepted solutions
  • 7376 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!