best path to migrate from 2050 5.0.8 to 3050 6.x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

best path to migrate from 2050 5.0.8 to 3050 6.x

L1 Bithead

We just bought a pair of 3050's to replace our 2050's. The old 2050's are running 5.0.8. (I know that's old, but it was stable and we just left it alone) I'm looking for advice on the best path to upgrade to the new 3050's. 
I've looked at the migration tool, and it looks promising but I'm not familiar with it yet.

I've also considered downgrading the new 3050's to 5.0.8 and then cutting and pasting the config over bit by bit. And then upgrading back up to 6.x.

Or I could just try to build the new ones from scratch. This seems like a lot of ways for mistakes to be made.

 

Anyway, any thoughts or suggestions would be appreciated. 

 

Thanks,

mthompson

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

The best place to start would be the release notes of the behavioral changes that are in 6.x from 5.x. If there are no real worries, you can just export the config from the 2050's and load them into the 3050's. Since the 3050's wont be production yet, you could go through them and verify the configs with the 2050's using something like notepad++ or Excel to look for differences.

 

When I did the same migration, I made sure the two were on the same version of code (I upgraded the 2050's to the base code of what the 3050's came with) then did a direct export/import and reviewed the code differences.

 

When i migrated from other firewalls to the PAN, I did it by scratch since the other firewalls didnt have app inspection.

 

I havent used the migration tool as I didnt have the luxury of learning it before the swapout.

 

Hope this helps!

L7 Applicator

I don't have a way to test right now, but I am pretty sure you cannot load a version 5 config into a version 6 device.  There are a number of formating changes that occur during the upgrade process from 5 to 6.

 

If you could upgrade the existing device from 5 to 6 then you could migrate the configuration by export/import.

 

You can rollback the upgrade.  So if you can schedule some downtime to upgrade the existing 2050 to grab the updated configuration then rollback to keep production the same.

 

But if you are worried about potential issues with the upgrade,  I feel like upgrading in place on the 2050 and running for a week is your better option anyway.  This way you only change on variable at a time instead of upgrading both the OS and hardware together.  This way you can be sure of the source of any issues.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I had read in a migration doc that the config could only be transfered between devices as long as two conditions were met.

One was same code version. The other was same hardware model. You both are saying that the hardware model does not need to be the same. If that's the case it will certainly make this easier. 

 

I think I'll upgrade the 2050's to 6.1.4. - copy off the config and import it onto the 3050's. If the 2050's are stable after the upgrade I'll leave them at 6.1.4. If not, I'll roll them back.

 

Thanks for the thoughts and directions. I'll post the results.

 

mthompson

The hardware models are suppose to be the same.  But the main reason the configurations do not work is that the interface configurations are different among the various models.  In your case, the two models have the same interface setup so your configurations will match when you do the import.

 

If the interface layouts were different you would have to manipulate the names of the interfaces in the xml file prior to import to make the transition.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Here is a quick update.

I decided to downgrade the new units to 5.0.8 and then copy the config onto them. This way I did not have make any changes to production. Much easier not having to go through change controle and waiting for change windows and such.

 

Once I got the current config on them running 5.0.8, I modified a couple things like the interface differenced between the two appliances. then I upgraded the new ones to 6.1.8. 

 

I brought them into production for 1 hour late last night just to identify any issues or things I've overlooked. I had forgotten to assign a virtual router to a new interface, other than that most things worked fine. 

One thing I think is not working is the single site to site VPN we have with a vendor we use. I have compared the configs and the settings are the same, so I'll have to work on this. 

 

I'll be bringing this new boxes permenantly into production next week. 

 

Thanks again for the direction and information.

  • 2554 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!