Palo to Palo migration

Reply
Highlighted
L0 Member

Palo to Palo migration

Hi all,

 

I have a few questions regarding doing a palo to palo migration:

- Are there any best practices for doing a Palo to Palo migration via Expedition

- Is there any difference in uploading an palo config xml to migrate as opposed to API call?

- What parts of a palo config are not migrated through expedition? For example I have noticed zone protection profiles don't migrate


Accepted Solutions
Highlighted
L4 Transporter

Hi @Aurelio.Tassone 

Normally, for Palo Alto Networks to Palo Alto Networks migration, you can export the configuration from the old firewall and import and load the configuration to the new firewall. There might be interface renaming needed between different models, you can do a search and replace the interface name in XML file directly.  

 

In terms of the difference when importing the configuration in Expedition, retrieve it directly through API call if you have a direct connection between the PAN-OS device and Expedition. If not, you can manually export the configuration and upload it.

 

If the zone protection profile is in your original file, it will be migrated. 

View solution in original post

Highlighted
L2 Linker

Certificates are another thing that don't exist in Expedition and can't be migrated. For Palo to Palo, I would usually recommend just exporting full xml config and importing into target firewall. Before committing on target firewall, adjust physical devices as needed, especially management and dataplane interfaces. If you have Panorama, even better for the migration since you can leverage device groups and templates. If you need to mix-match stuff in those containers in panorama, expedition is a very helpful tool for that.

View solution in original post


All Replies
Highlighted
L4 Transporter

Hi @Aurelio.Tassone 

Normally, for Palo Alto Networks to Palo Alto Networks migration, you can export the configuration from the old firewall and import and load the configuration to the new firewall. There might be interface renaming needed between different models, you can do a search and replace the interface name in XML file directly.  

 

In terms of the difference when importing the configuration in Expedition, retrieve it directly through API call if you have a direct connection between the PAN-OS device and Expedition. If not, you can manually export the configuration and upload it.

 

If the zone protection profile is in your original file, it will be migrated. 

View solution in original post

Highlighted
L2 Linker

Certificates are another thing that don't exist in Expedition and can't be migrated. For Palo to Palo, I would usually recommend just exporting full xml config and importing into target firewall. Before committing on target firewall, adjust physical devices as needed, especially management and dataplane interfaces. If you have Panorama, even better for the migration since you can leverage device groups and templates. If you need to mix-match stuff in those containers in panorama, expedition is a very helpful tool for that.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!