09-08-2025 06:44 AM
Greetings from Detroit Michigan!
I have been tasked with migrating our current PA-5220 pair firewalls to a new PA-3420 pair. I have been led to believe that the "Expedition" tool will help with this task. The problem simply put is that the documentation for this is quite spartan in the area of migrating from a PA to a PA.
We are using Expedition 1.x (latest available) as Expedition 2.x wouldn't cleanly install at all.
Where I am getting stuck: the import of the second (or destination) firewall. My process: create a new project with only the source PA defined. Import the config from the source PA (which has to be done multiple times in order to succeed), then review the object lists, then rename the interfaces in the config, then add the destination PA to the project, then import the second PA .
It is at this point where things start to screw up - usually in the form of a munged config for the source PA.
Can anyone help me figure out what I am doing wrong here?
Thanks!
Ron Gage
09-08-2025 10:17 AM
I would not go through the process of using Expedition for something this simple. Get the PA-3420 and the PA-5220 on the same software version for the initial cutover, ensure that both are setup to use the same master key if you ever modified it, and then import the configuration on the PA-3420 and deal with any needed interface migrations or validation errors.
The biggest thing that you're going to have to deal with is just interface migrations. You can deal with this in the XML easily before you load it, or just correct it after the fact. Since the PA-3420 has far more actual copper interfaces (ethernet1/1 - ethernet1/12) you may need to just migrate some of your existing PA-5220 interfaces over to the SFP+ interfaces (ethernet1/13 - ethernet1/22) to get them to actually match the expected interface type.
09-08-2025 10:17 AM
I would not go through the process of using Expedition for something this simple. Get the PA-3420 and the PA-5220 on the same software version for the initial cutover, ensure that both are setup to use the same master key if you ever modified it, and then import the configuration on the PA-3420 and deal with any needed interface migrations or validation errors.
The biggest thing that you're going to have to deal with is just interface migrations. You can deal with this in the XML easily before you load it, or just correct it after the fact. Since the PA-3420 has far more actual copper interfaces (ethernet1/1 - ethernet1/12) you may need to just migrate some of your existing PA-5220 interfaces over to the SFP+ interfaces (ethernet1/13 - ethernet1/22) to get them to actually match the expected interface type.
09-08-2025 10:53 AM
Thank you sir. That sounds easy enough. I think we'll give that a go.
Ron
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
