Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Change of models managed by panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Change of models managed by panorama

L2 Linker

Cordial greetings

Team

I currently have a PA 220 managed from panorama and we want to upgrade it to a PA440. The idea is to keep the same configurations of the 220 device in the 440. The question is, how should this process of device change be done?

We have added the new device to panorama and when adding the same template and DG that the 220 has it generates many errors and the commit never happens. What would be the best strategy to ensure that the new equipment is with the same configuration as the 220?

NOTE: At the time that the DG and Template assignment was made, the 220 was still connected, we want to take the previous configuration, so that it is only disconnect and connect.

9 REPLIES 9

Cyber Elite
Cyber Elite

Hello,

Here are a few thing to check/do. On the 440, update the licenses and dynamic updates. Then take the commit errors one at a time. If you post them, we can hep you through them.

 

 Often times I'm more of a hands on person. Meaning I manually take the configuration of the 220 and import it into the 440. There are usually errors, but they can be worked through.

Hope that helps. 

L2 Linker

cordial greetings


The question is, how do you download the config from the 220 and import it to the 440, bearing in mind that the 220 is managed by panorama. That is, I tried to do what you mention to load the config, but it happens that if I do it from the 220 the xml file, brings me only a few lines of configuration (mgmt interface information) does not bring all the configuration, because its administration is given from Panorama. Now, I tried to download a file from panorama selecting only and exclusively the DG and the template, as shown in the attached image, but when I read the xml file in a notepad, I see that there are all the configurations, including those of the other templates and DGs of the other teams, I do not know if I need something when I download it just to have the configuration of the team.

Regarding the error, unfortunately I did not take a screenshot of the errors. Being honest, to migrate that config and the only way I found, was to do it by load config partial, loading all the panorama config file to the FW; however, I raised the question in the forum, because I think there must be a much more practical and simple way, I do not think I should resort to this

Tell me or explain me exactly how you would do it.

I remain attentive

Cyber Elite
Cyber Elite

Hello,

You would get the 'named configuration snapshot' from the management interface of the 220 not from the Panorama.

PA-220: Save a named configuration snapshot, export named configuration snapshot

Edit the XML and delete all certificates.

PA-440: import names configuration snapshot then load the configuration snapshot. 

 

Hope that helps. 

L2 Linker

Best regard

I attached the configuration file that I exported from the computer (locally from device>setup>operations>save named configuration snapshot and export named configuration snapshot) which is managed by panorama, not all the configuration that is imported from panorama is there, that is why I couldn't do that procedure either.


@afalfaro wrote:

cordial greetings


The question is, how do you download the config from the 220 and import it to the 440, bearing in mind that the 220 is managed by panorama. That is, I tried to do what you mention to load the config, but it happens that if I do it from the 220 the xml file, brings me only a few lines of configuration (mgmt interface information) does not bring all the configuration, because its administration is given from Panorama. Now, I tried to download a file from panorama selecting only and exclusively the DG and the template, as shown in the attached image, but when I read the xml file in a notepad, I see that there are all the configurations, including those of the other templates and DGs of the other teams, I do not know if I need something when I download it just to have the configuration of the team.

Regarding the error, unfortunately I did not take a screenshot of the errors. Being honest, to migrate that config and the only way I found, was to do it by load config partial, loading all the panorama config file to the FW; however, I raised the question in the forum, because I think there must be a much more practical and simple way, I do not think I should resort to this

Tell me or explain me exactly how you would do it.

I remain attentive


If the device/config is controlled from Panorama then there's no need to export any configuration from the existing device (PA-220) then trying to load that config into a PA440.

 

 

Using device groups, templates and template stacks you can have multiple hardware types loaded with the same security policy.  There will be/should be unique hardware config based on the device template.

 

As an example we have 3220 and 3400 hardware types that receive the same security policy configuration.  This is achieved by using a specific device template for the corresponding hardware type and associating the hardware platforms to the same "Device Group."

 

Exporting a config and trying to import one won't create the "managed" relationship of the new PA-440 by panorama.

 

 

Brandon_Wertz_0-1718137751706.png

 

L2 Linker

Cordial greetings

Thank you very much for your answer, I think I understood you, however, I ask you, you mention that the devices can have the same policy settings or Devices-Group as they are different models, but the template would have to be different. The question is, if I want the new device to have exactly the same configuration of the Network and Device tab (taking into account that it is a replacement), what should I do? They follow exactly the same ips, interfaces, vlans etc) How would I do to load the same template config to the new device?

What would be the step by step

1. Do I have to duplicate the template that is productive and when I connect the new device I assign it to it?
2. Do I register the new device and have to do all the network and device configurations from scratch? Can't I migrate the existing config to the new FW?
3. What would be the best option considering it is a hardware upgrade, but the configurations are the same?
4. How would you do if you are asked to upgrade the FW of a site, but you have to respect the same configuration, considering that the device is managed by panorama?


@afalfaro wrote:

Cordial greetings

Thank you very much for your answer, I think I understood you, however, I ask you, you mention that the devices can have the same policy settings or Devices-Group as they are different models, but the template would have to be different. The question is, if I want the new device to have exactly the same configuration of the Network and Device tab (taking into account that it is a replacement), what should I do? They follow exactly the same ips, interfaces, vlans etc) How would I do to load the same template config to the new device?

What would be the step by step

1. Do I have to duplicate the template that is productive and when I connect the new device I assign it to it?
2. Do I register the new device and have to do all the network and device configurations from scratch? Can't I migrate the existing config to the new FW?
3. What would be the best option considering it is a hardware upgrade, but the configurations are the same?
4. How would you do if you are asked to upgrade the FW of a site, but you have to respect the same configuration, considering that the device is managed by panorama?


The information really is there, you just have to play around with it.  A lot of times you can "clone" objects and modify them for a different use case.  In this case it's tied to (or can be tied to) templates and template stacks.

 

Take your existing config, clone it then add the 440 hardware to the new template stack designed for the specific hardware type.  You don't necessarily need a unique template for the different hardware, but the port count or type will be vastly different from a 220/440 versus a 5200 for instance.  So that's what having the same like hardware in a template/stack is the better approach.

 

Brandon_Wertz_0-1718220032435.png

 

Cyber Elite
Cyber Elite

Hi @afalfaro ,

 

This is what I would do:

 

  1. Do I have to duplicate the template that is productive and when I connect the new device I assign it to it?
    1. Not necessarily.  You can add the PA-440 to the same device group and template.
  2. Do I register the new device and have to do all the network and device configurations from scratch?  No.
    1. Can't I migrate the existing config to the new FW?  Yes.
  3. What would be the best option considering it is a hardware upgrade, but the configurations are the same?
    1. Export and import local config.  Change management IP back before commit.
    2. Add PA-440 to Panorama and to the same device group and template.
  4. How would you do if you are asked to upgrade the FW of a site, but you have to respect the same configuration, considering that the device is managed by panorama?
    1. See #3.  The reason that I have you migrate the local and Panorama configuration is that I do not know what is configured locally and what is configured from Panorama.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

Cordial greetings

@TomYoung y @Brandon_Wertz 

 

As per the comments provided. A teammate of mine performed exactly the same procedure you mention, adding the FW to the same DG and Template that had the FW in porduction and the configurations have been deployed in an extosa way on the new device.

In the next few days I will perform the migration of another FW and I will provide you with the corresponding update.

Thank you very much for your answers

  • 2219 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!