01-20-2022 05:30 AM
How to Migrate of existing config / rules from PA-3020 in a HA pair to PA-460 in a HA Pair?
01-20-2022 07:16 AM
The only real "issue" that you'll run into is interface changes if you're using interfaces on the PA-3020 that don't exist on the PA-460; not really an issue since you can just update that interface information in the GUI or find/replace it in the XML configuration file before you load it onto the PA-460. (IE: You're using ethernet1/18 on the PA-3020 that won't exist on the PA-460).
The actual configuration migration however can just be exported and loaded without issue. The validation process will catch anything that won't actually function on the PA-460 (like that interface problem mentioned above), so that you can go through and correct any of that.
I'm partial to actually going through the configuration once you have it loaded on the PA-460 and ensuring that everything inputted is actually still needed. Hardware migrations are always a good time to verify that you don't have any unused objects configured, or any rulebase entries that aren't actually needed anymore.
Take a look at this migration guide: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/hardware/migration/firewall-migrati...
01-20-2022 07:16 AM
The only real "issue" that you'll run into is interface changes if you're using interfaces on the PA-3020 that don't exist on the PA-460; not really an issue since you can just update that interface information in the GUI or find/replace it in the XML configuration file before you load it onto the PA-460. (IE: You're using ethernet1/18 on the PA-3020 that won't exist on the PA-460).
The actual configuration migration however can just be exported and loaded without issue. The validation process will catch anything that won't actually function on the PA-460 (like that interface problem mentioned above), so that you can go through and correct any of that.
I'm partial to actually going through the configuration once you have it loaded on the PA-460 and ensuring that everything inputted is actually still needed. Hardware migrations are always a good time to verify that you don't have any unused objects configured, or any rulebase entries that aren't actually needed anymore.
Take a look at this migration guide: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/hardware/migration/firewall-migrati...
02-16-2022 03:35 AM
Thanks That worked for us, few issues related to HA port, Log allocation, barring that everything worked.
08-23-2022 10:09 AM
@BPry - when upgrading PA-3020 to PA-460, how might one be able to satisfy the PanOS requirement as device state restoration is required for migrations, when configurations are heavily managed via panorama policies?
pa-3020 max ver- 9.1.x
pa-460 min ver - 10.1.x
Determine the target PAN‐OS release—Before you Migrate to New Firewalls, ensure that the old
firewall is running the same PAN‐OS release and the same content release version as is installed on the
new firewall. If the old firewall does not support the PAN‐OS release that is installed on the new
firewall, you must ensure that the old firewall is no more than one feature release behind. For example,
if the new firewall is running PAN‐OS 8.0, then the old firewall must be running or upgraded to a
PAN‐OS 7.1 release before you migrate. If the old and new firewalls are not within one feature release,
you cannot use the device state export and import process to migrate due to schema changes that occur
from feature release to feature release.
08-23-2022 11:27 AM
I don't use device states since my configurations are kept in XML format and directly modified. I'm guessing since I don't have the lab equipment multiple versions behind like that to validate, but you should still be able to do exactly as you would with just the configuration export/import process. Import the device state and correct the validation errors that will be present following the import due to the version difference.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
