My organization is looking to upgrade from an Active/Active 5060 deployment to an Active/Standby 5200 series deployment. I have Expedition installed although I'm not perficient at it yet (side note: If anyone knows of and can pass along any tutorials on using it to capture data and create migration rulesets to move ip/port rules over to app rules I'd really appreciate) and we've also got Panorama.
We're still a few months out and haven't purchased the units yet but I wanted to get a jump on things and start trying to figure out what the process would look like. In Panorama, most of my address, address groups, and tags are in the Shared space so adding the additional firewalls to this should just sync that stuff over. My security policy and NAT rules are currently all set up as Pre-Rules (seems like I learned later this wasn't necessarily ideal... gota go back and read up) but are in a sub-device group since I thought there was a likelyhood of adding additional smaller firewalls in different locations.
I'm looking for any feedback or advice on the move for this. I want to minimize downtime, of course, and I figured I would probably need to upgrade Panorama and our current firewalls to an 8.1 release before starting. I've never configured firewalls from scratch in Panorama before so I figured the initial process would look something like this:
There will of course be some additional steps like subscription installation and activation, etc but these are the basics I've thought of so far. For actual installation, my thought was to take one of our current A/A units offline and unrack it, put one of the new ones in its place, and then do a some sort of swap over to see if the new system is stable before we unrack the second unit and move forward.
Am I on the right track here? Anything else I need to consider?
You are pretty much on the right track. If you only need to make changes to HA, why not just copy the whole config to the new units?
Here is a path I would take if making the same/similar changes:
1. Upgrade all units, new and old, the the version of code you want to end up with.
2. Export config from old PAN to new PAN
3. Reconfigure HA on the new PAN to A/S
4. During an outage window:
a. shutdown old A/A pair
b. move cables to the A/S pair
@OtakarKlier thanks for the reply!
The new units have a larger number of 10gig ports. Our current units I think have 4... 2 are going to the other unit and 2 are set up in a LAG with a bunch of sub-interfaces that terminate on a 4500-X VSS we're currently using as a router.
I'm not opposed necessarly to keeping the 4500-X inline if we need the fiber ports but it really doesn't do Layer 3 particularly well so I was looking to see how to remove that functionality and just have the next hops be our Internet Edge router, our Core 6500 series devices, the DC, etc depending on the interface. The 4500-X would just be Layer 2 at that point if we need it at all.
Since we're currently using OSPF, I was also under the understanding that OSPF down detection and reconvergence can happen quicker on point-to-point physical links vs point-to-point VLANs.
Due to all this, I figured there would be some interface changes on the new units compared to the old ones which also means security zone and virtual router changes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!