Copy config from live PA820 to old PA500

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Copy config from live PA820 to old PA500

L1 Bithead

We recently got a PA820 in live production and I'm concerned if we have a device failure that it may be difficult to take a saved config from the PA820 and import it into the old PA500.  Does anyone have any experience with this?  Is it even possible?  How long would this take (guesstimate)?  

 

Thank you in advance!

1 accepted solution

Accepted Solutions

@Nickzzz,

The time to recovery is 'depends' quite frankly. 

  • Do you have the PA-500 already configured as a 'cold' spare?
  • Do you have the live configuration prepped for deployment to the PA-500? 
  • Do you actually have the configuration backed up in a accessable location? 
  • How familiar is your admin with modifying XML?  

 

In one of my deployments I actually could likely have this done faster than 30 minutes, and this would likely have been my answer as well. In areas where I can't really prep an identicle cold spare I would have followed a model that looks like this. 

1) Nightly backups of the running-config.xml to a share that I would have access to if the network is down

  • Remember you're losing the firewall; keep that in mind when choosing a backup location. 

2) Weekly I would take a config file from the live equipment and make the necissary changes so that I can load it onto the backup gear. This way we should be in a 'workable' state as soon as the spare boots up, even if I have to go back and get it to 100% match the running-config on the 'production' device.

  • Best case you load the config on the PA-500 every week so it's ready. 
  • If you really know your way around the XML config itself, you don't even have to load it on the PA-500. This is only after you know they understand the XML structure though. 

3) The PA-500 should be ready to put into place immediately if it isn't already in place. If it fails you don't want to be farting around with running power or anything like that. It should already be in position in the rack so that you simply move cables; if it can be powered on already as well then that's great. 

 

So to answer your question; ya your admin really isn't lying about getting the configuration moved over in 30 minutes or less if they know what they are doing and the firewall/configuration is prepped. If I need to modify the XML file from backup for a different platform, actually get the PA-500 in place, and boot the thing and load my modified config then you're looking at closer to 45-60 minutes with how long the PA-500 takes to boot and commit. That's with me being very comfortable with modifying the XML directly and knowing where I actually need to modify things between platforms. 

I would say that if your admin isn't doing any prepping at all and isn't comfortable working on the XML file itself; you're looking at closer to a 90 minute timeframe. 

View solution in original post

6 REPLIES 6

L7 Applicator

Should be possible. But this required both firewalls run the same PAN-OS version. And if you use different interfaces on the firewalls you need to change this prior to the config import in the xml-config-file.

As I don't have experience with this situation, there might be some other things you need to adjust in the xml, but in general it is possible.

Thanks for the reply - from what I've found from Palo Alto, they recommend identical hardware but I wasn't sure if it was for reasons like the one you mentioned or if there was a hardcoded difference.

 

Mostly I'm concerned with the time as the firewall admin has told my boss from appliance failure to recovery can be up and running in 30 minutes, which I think is a very generous timeframe.  Do you have any experience with copying configs from working Palo Altos and if so how long did it take to move configs and transfer services from one PA firewall to the other?

@Nickzzz,

The time to recovery is 'depends' quite frankly. 

  • Do you have the PA-500 already configured as a 'cold' spare?
  • Do you have the live configuration prepped for deployment to the PA-500? 
  • Do you actually have the configuration backed up in a accessable location? 
  • How familiar is your admin with modifying XML?  

 

In one of my deployments I actually could likely have this done faster than 30 minutes, and this would likely have been my answer as well. In areas where I can't really prep an identicle cold spare I would have followed a model that looks like this. 

1) Nightly backups of the running-config.xml to a share that I would have access to if the network is down

  • Remember you're losing the firewall; keep that in mind when choosing a backup location. 

2) Weekly I would take a config file from the live equipment and make the necissary changes so that I can load it onto the backup gear. This way we should be in a 'workable' state as soon as the spare boots up, even if I have to go back and get it to 100% match the running-config on the 'production' device.

  • Best case you load the config on the PA-500 every week so it's ready. 
  • If you really know your way around the XML config itself, you don't even have to load it on the PA-500. This is only after you know they understand the XML structure though. 

3) The PA-500 should be ready to put into place immediately if it isn't already in place. If it fails you don't want to be farting around with running power or anything like that. It should already be in position in the rack so that you simply move cables; if it can be powered on already as well then that's great. 

 

So to answer your question; ya your admin really isn't lying about getting the configuration moved over in 30 minutes or less if they know what they are doing and the firewall/configuration is prepped. If I need to modify the XML file from backup for a different platform, actually get the PA-500 in place, and boot the thing and load my modified config then you're looking at closer to 45-60 minutes with how long the PA-500 takes to boot and commit. That's with me being very comfortable with modifying the XML directly and knowing where I actually need to modify things between platforms. 

I would say that if your admin isn't doing any prepping at all and isn't comfortable working on the XML file itself; you're looking at closer to a 90 minute timeframe. 

Hi BPry,

Thanks for the detailed response - I really appreciate it.

 

I will have to check on a couple of the items on your list.

 

Here is what I do know:

  • The PA-500 is powered on and racked next to the PA-820 so cable swap would be quick.
  • The PA-500 isn't configured as a cold spare; it has the config from a few months ago whenever it was taken out of line.
  • Based on this previous statment I'm going to assume the OS version on the PA-500 is also out of date.
  • The PA-820 config is backed up but I am unsure how often the firewall admin does this or where he stores it.
  • Given what I know of my firewall admin he is not very familiar with modifying XML.

If you personally came into an environment like this where you were able to get the most recent running config, how long would you say it would take to bring the PA-500 online w/the most recent PA-820 config?

 

Thanks again for the very helpful response!

@Nickzzz,

It would likely take me 5-10 minutes to modify the config file depending on the size; then simply logging into the PA-500 uploading the modified config and commit. The PA-500 itself can take 5 minutes to commit, so factor that in. 

 

 

Ok thank you for the information - I added your response as the solution 🙂

  • 1 accepted solution
  • 3706 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!