Firewall upgrade/replacement

Reply
Highlighted
L4 Transporter

Firewall upgrade/replacement

What is the easiest way to replace old hardware(5050) with new(5520), that are in HA pair. Can i add 2 new firewalls to the HA group and failover. Or do i have to replace passive with new, make it active then remove the other.


Accepted Solutions
Highlighted
Cyber Elite

@raji_toor,

No. A platform upgrade will be a complete install/rip-and-replace. You can't add two different platforms into the same HA group, so what you are proposing simply won't work.

You'll want to migrate your configuration to the new 5250s and get those functional prior to the cutover date, and then when you've scheduled an outage you will actually perform the cutover to the new equipment. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@raji_toor,

No. A platform upgrade will be a complete install/rip-and-replace. You can't add two different platforms into the same HA group, so what you are proposing simply won't work.

You'll want to migrate your configuration to the new 5250s and get those functional prior to the cutover date, and then when you've scheduled an outage you will actually perform the cutover to the new equipment. 

View solution in original post

Highlighted
L4 Transporter

Thanks @BPry  I was hoping if PA had F5 like capability to add old and new hardware in same group and then activate the new ones.

Highlighted
L4 Transporter

@raji_toor Strictly speaking there is similar capability, which in fact is more flexible than the F5 solution. If you have your firewalls fully managed by Panorama, then you can just add the new hardware to the same device groups and templates, and configuration will be syneced to the new appliences. 

Highlighted
L1 Bithead

Dear All,

 

Can anyone please advise on any specific points to be taken care for a hardware replacements for a pair of firewall 5060 fully managed by Panorama & to be replaced with 5250. 

To me a high level plan looks like.

1. Prepare the new firewalls via importing device state with new mgmt ips to avoid any duplicate in network.

2. Test the failovers on the new pair.

3. Add the panorama server ip in the new firewalls.

4. Add the new serial numbers of the new firewalls to the Panorama under managed devices, match the threat & antivirus version, migrate the license?

5. Change the policy target to any in case of if any specific target group was selected.

6. Disconnect the secondary firewall to be replaced & power on the new 5560 unit.

7. Double check the priority on the firewalls to avoid any issues with taking over issues & make it the active.

8.Push the policy on the secondary firewall.

9. Create the device group.

 

Is there any thing else needs to be taken care? Does anything related to master key is required?

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!