Firewall replacement procedures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Firewall replacement procedures

L2 Linker

We are planning to replace PA-3260 with PA-3430, can anyone suggest the procedures and prerequisites to be followed before replacing the firewalls.

Currently the firewalls are managed from Panorama.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @Marsooq_A

 

thank you for the post!

 

First of all the PA-3400 series supports only PAN-OS 10.2, so to register this Firewall to Panorama you must be running Panorama on PAN-OS 10.2 as well. This is the only pre-requisite I can think of.

 

Regarding the procedure, under the assumption that PA-3430 will have the same configuration and function, I would go with below steps.

 

1.) Perform initial configuration of PA-3430. Configure management interface, dns server and Panorama IP address/FQDN. The IP address of management interfaces should be obviously unique and not duplicated with existing PA-3260. Make sure that all licenses are applied and install latest application/threat content. Upgrade PAN-OS if necessary. If you are using HA pair, do the same for both Firewalls. If you are not planning to use Panorama to push HA configuration, then at this point I would build HA.

 

2.) Register both PA-3430 to Panorama and make sure that both Firewalls come online. If PA-3430 will serve the same function/purpose as PA-3260, I would place this Firewall to the same Device Group. For Template Stack, I would clone existing PA-3260 Template Stack and modify setting in device specific Template in the case there is something that will be either not compatible with new PA-3430 or you want to customize something for this Firewall. After Firewalls are assigned to Device Group/Template Stack, I would perform verification. If it there is no issue, I would push the configuration.

 

3.) As a next step, I would plan cut over to PA-3430. If rack space allows, it would be ideal to place PA-3430 pair close to PA-3260 to potentially re-use the same cables/optics. On the day of migration, I would announce down time and moved cables across from PA-3260 to PA-3430. Since new Firewall will be using the same configuration, all downstream and upstream devices should update their ARP tables with new MAC address trough GARP. If this does not happen, you might have to clear old entry manually.

 

4.) After the migration, I would use the opportunity of maintenance window and perform failover test and make sure full functionality for both Firewalls in HA.

 

5.) As the final step, I would remove PA-3260 from Panorama and clean up all related configuration.

 

The above steps might be too rough without going into details. If you give more details about challenges you face, I will elaborate more.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

Hello @Marsooq_A

 

thank you for the post!

 

First of all the PA-3400 series supports only PAN-OS 10.2, so to register this Firewall to Panorama you must be running Panorama on PAN-OS 10.2 as well. This is the only pre-requisite I can think of.

 

Regarding the procedure, under the assumption that PA-3430 will have the same configuration and function, I would go with below steps.

 

1.) Perform initial configuration of PA-3430. Configure management interface, dns server and Panorama IP address/FQDN. The IP address of management interfaces should be obviously unique and not duplicated with existing PA-3260. Make sure that all licenses are applied and install latest application/threat content. Upgrade PAN-OS if necessary. If you are using HA pair, do the same for both Firewalls. If you are not planning to use Panorama to push HA configuration, then at this point I would build HA.

 

2.) Register both PA-3430 to Panorama and make sure that both Firewalls come online. If PA-3430 will serve the same function/purpose as PA-3260, I would place this Firewall to the same Device Group. For Template Stack, I would clone existing PA-3260 Template Stack and modify setting in device specific Template in the case there is something that will be either not compatible with new PA-3430 or you want to customize something for this Firewall. After Firewalls are assigned to Device Group/Template Stack, I would perform verification. If it there is no issue, I would push the configuration.

 

3.) As a next step, I would plan cut over to PA-3430. If rack space allows, it would be ideal to place PA-3430 pair close to PA-3260 to potentially re-use the same cables/optics. On the day of migration, I would announce down time and moved cables across from PA-3260 to PA-3430. Since new Firewall will be using the same configuration, all downstream and upstream devices should update their ARP tables with new MAC address trough GARP. If this does not happen, you might have to clear old entry manually.

 

4.) After the migration, I would use the opportunity of maintenance window and perform failover test and make sure full functionality for both Firewalls in HA.

 

5.) As the final step, I would remove PA-3260 from Panorama and clean up all related configuration.

 

The above steps might be too rough without going into details. If you give more details about challenges you face, I will elaborate more.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 3804 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!