07-15-2021 12:10 PM
Hello,
I am rather new to the Palo Alto FWs, and I am looking to replace 2 existing PA3020's in an HA pair with two PA3220 also in an HA pair. I've never done a full swap like this so is there any Best Practice recommendations and/or upgrade checklist for steps needed to perform this type of an upgrade? Also, I'm curious if I can swap one firewall at a time rather than both causing a site outage. Currently I have one set to "Active" and the second is "Passive". The new config will be the same. If someone could steer me in the right direction, I would greatly appreciate it. Thanks in advance.
07-15-2021 07:04 PM
Depends on if you just want to migrate the configuration between units or if you want to take the change in hardware as a chance to cleanup the configuration a bit. I always recommend using any hardware change as a chance to really go through the configuration and cleanup any unused statements and cleanup the rulebase entries.
To your actual swap, you can't swap the firewalls like that because a PA-3220 won't joint HA with anything but a PA-3220. Generally I recommend that you get everything staged and validated prior to the cutover so that the only thing you have to do upon cutover is either swapping interfaces to have as little downtime as possible. Ideally you'd have the interface count available to have everything cabled up on each set of firewalls, but if not you would just swap your cables over to the new hardware when you have the maintenance window for your cutover.
07-15-2021 07:04 PM
Depends on if you just want to migrate the configuration between units or if you want to take the change in hardware as a chance to cleanup the configuration a bit. I always recommend using any hardware change as a chance to really go through the configuration and cleanup any unused statements and cleanup the rulebase entries.
To your actual swap, you can't swap the firewalls like that because a PA-3220 won't joint HA with anything but a PA-3220. Generally I recommend that you get everything staged and validated prior to the cutover so that the only thing you have to do upon cutover is either swapping interfaces to have as little downtime as possible. Ideally you'd have the interface count available to have everything cabled up on each set of firewalls, but if not you would just swap your cables over to the new hardware when you have the maintenance window for your cutover.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
