This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Hardware refreshment from 3020 to 3410 managed by panorama

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Hardware refreshment from 3020 to 3410 managed by panorama

Nileshapatil
L1 Bithead

‎07-11-2024 06:57 AM

Hi All,

 

Can someone please help me with migration guide or steps old firewalls are managed by Panorama.

 

Hardware refreshment from 3020 to 3410 managed by panorama.

0 Likes Likes
5 REPLIES 5

OtakarKlier
Cyber Elite
Cyber Elite

‎07-11-2024 07:33 AM

Hello,

Should be a fairly straight forward process.

First setup the 3410 management interface:

  1. Connect to the console port using Putty
  2. Configure the management port
    1. configure
    2. set deviceconfig system ip-address <IP address> netmask <subnet mask> default-gateway <gateway>
    3. set deviceconfig system dns-setting servers primary <IP of internal DNS server if no internal DNS server use 208.67.220.220 >
    4. set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <IP of NTP server or use us.pool.ntp.org>
    5. Commit
  3. Log into the GUI
    1. Devices -> License
    2. Retrieve from server
  1. Dynamic updates
    • .App Threat 
      • Click the Check Now on the bottom to refresh the version etc.
      • download and install the newest version
    • AntiVirus
      • Click the Check Now on the bottom to refresh the version etc.
      • download and install the newest version

Connect it to the Panorama. If you have any local only configurations, you just need to recreate them on the 3410.

 

This is the High overview of what to do. There maybe errors and warnings once you try and commit the configuration, just work through them one at a time.

 

IN A MAINTENANCE WINDOW THAT HAS BEEN APPROVED BY MANAGMENT FOR DOWNTIME.

 

Once you are ready for the swap, make sure the 3410 is mounted next to the 3020 and move the cables one at a time. 

 

Check for operation via logs and test etc. Your fall back is to move the cables back to the 3020.

 

Hope this helps.

0 Likes Likes

Nileshapatil
L1 Bithead
In response to OtakarKlier

‎07-11-2024 08:15 AM

@OtakarKlier thank for the detailed steps. Do you mean once initial configuration is done and new firewalls added to Panorama. Do I need to add those in device group and template where existing 3020 firewalls are lying to replicate the configuration.

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎07-11-2024 08:25 AM

Hello,

"Do I need to add those in device group and template where existing 3020 firewalls are lying to replicate the configuration."

 

Yes you are correct. This way the new 3410 will get the same policies etc. The one thing you need to ensure is the port configurations are correct etc. Hence the need for a check prior to performing the swap. There are differences in code version from what the 3020 and the 3410 are running and the newer one has more features you might want to explore, etc.

 

Patience is your friend in this scenario. The last thing you want is to go into the change phase and has a lot of surprises to deal with. The more time you take and check the config on the 3410, the easier the swap will be.

 

Cheers!

0 Likes Likes

Nileshapatil
L1 Bithead
In response to OtakarKlier

‎07-11-2024 09:02 AM

Ok thanks, Will update you once we attempted the swap

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to Nileshapatil

‎07-16-2024 06:14 AM - edited ‎07-16-2024 06:15 AM

@Nileshapatil wrote:

Ok thanks, Will update you once we attempted the swap

I want to clarify something @OtakarKlier mentioned. IMO, you do NOT want to move the cables one at a time.  Doing so will likely split an active port-channel leaving 1 cable behind connected to the 3020 you're replacing (Which means both the 3020 and the 3410 will be active creating a split-brain scenario):

 

Brandon_Wertz_0-1721135452084.png

 

I'm currently going through a hardware swap of 3410s for 3220s.  To accomplish this we're taking the passive 3220 offline.  Then when ready taking all active connections away from the "active" 3220 and moving them to the corresponding 3410 all at once.  Doing this will create a brief outage for the service provided for the 3020/3220, but it's the cleanest and quickest way.

 

There might be a scenario where you can move a cable one at a time from the hardware being replaced by new, but that will involve a lot more detail than a high-level plan any of us have shared here.

0 Likes Likes
  • 895 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks