How to Migrate of existing config / rules from PA-3020 in a HA pair to PA-460 in a HA Pair

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How to Migrate of existing config / rules from PA-3020 in a HA pair to PA-460 in a HA Pair

L2 Linker

How to Migrate of existing config / rules from PA-3020 in a HA pair to PA-460 in a HA Pair?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@ChirPatel,

The only real "issue" that you'll run into is interface changes if you're using interfaces on the PA-3020 that don't exist on the PA-460; not really an issue since you can just update that interface information in the GUI or find/replace it in the XML configuration file before you load it onto the PA-460. (IE: You're using ethernet1/18 on the PA-3020 that won't exist on the PA-460).

The actual configuration migration however can just be exported and loaded without issue. The validation process will catch anything that won't actually function on the PA-460 (like that interface problem mentioned above), so that you can go through and correct any of that. 

 

I'm partial to actually going through the configuration once you have it loaded on the PA-460 and ensuring that everything inputted is actually still needed. Hardware migrations are always a good time to verify that you don't have any unused objects configured, or any rulebase entries that aren't actually needed anymore. 

 

Take a look at this migration guide: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/hardware/migration/firewall-migrati...

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@ChirPatel,

The only real "issue" that you'll run into is interface changes if you're using interfaces on the PA-3020 that don't exist on the PA-460; not really an issue since you can just update that interface information in the GUI or find/replace it in the XML configuration file before you load it onto the PA-460. (IE: You're using ethernet1/18 on the PA-3020 that won't exist on the PA-460).

The actual configuration migration however can just be exported and loaded without issue. The validation process will catch anything that won't actually function on the PA-460 (like that interface problem mentioned above), so that you can go through and correct any of that. 

 

I'm partial to actually going through the configuration once you have it loaded on the PA-460 and ensuring that everything inputted is actually still needed. Hardware migrations are always a good time to verify that you don't have any unused objects configured, or any rulebase entries that aren't actually needed anymore. 

 

Take a look at this migration guide: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/hardware/migration/firewall-migrati...

L2 Linker

Thanks That worked for us, few issues related to HA port, Log allocation, barring that everything worked.

L1 Bithead

@BPry - when upgrading PA-3020 to PA-460, how might one be able to satisfy the PanOS requirement as device state restoration is required for migrations, when configurations are heavily managed via panorama policies?

pa-3020 max ver- 9.1.x

pa-460 min ver - 10.1.x

 

Determine the target PAN‐OS release—Before you Migrate to New Firewalls, ensure that the old
firewall is running the same PAN‐OS release and the same content release version as is installed on the
new firewall. If the old firewall does not support the PAN‐OS release that is installed on the new
firewall, you must ensure that the old firewall is no more than one feature release behind. For example,
if the new firewall is running PAN‐OS 8.0, then the old firewall must be running or upgraded to a
PAN‐OS 7.1 release before you migrate. If the old and new firewalls are not within one feature release,
you cannot use the device state export and import process to migrate due to schema changes that occur
from feature release to feature release.

Cyber Elite
Cyber Elite

@Brian-Thomas,

I don't use device states since my configurations are kept in XML format and directly modified. I'm guessing since I don't have the lab equipment multiple versions behind like that to validate, but you should still be able to do exactly as you would with just the configuration export/import process. Import the device state and correct the validation errors that will be present following the import due to the version difference. 

  • 1 accepted solution
  • 9369 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!