import device state order

ce1028 · ‎09-23-2020

Hi,

I've done this successfully in the past, but cannot remember the proper order. I have a PA-200 that I want to replace with a PA-220. The PA-220 is in Panorama, its a device group + template.

Should I

1) configure the PA-220 with basic ip connectivity to Panorama, add the serial add it to the device group, template, push the config and then import the device state

or

2) import device state on the PA-220 and then add the serial to panorama, put the device in the device group/template and then try to push the config?

I feel the order is important but can't remember

MikeC · ‎09-24-2020

Let's not make this more complicated than it needs to be

1) export device state from PA-200

2) take new PA-220, configure basic ip/dns settings, license it, make sure it's the same PAN-OS version as the PA-200, install dynamic updates

3) import device-state on PA-220

4) commit

5) add new serial to Panorama

6) add device to existing device group/template

7) commit to panorama, push config from panorama

Done.

View solution in original post

TravisC · ‎09-23-2020

I would recommend using the process documented in the article below.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS

ce1028 · ‎09-23-2020

This would work if I was importing a firewall that was previously locally managed. The device state that I will be importing on the PA-220 will contain both local config and panorama config (from the PA-200)

TravisC · ‎09-23-2020

You could use set commands of XML XPath and partial config imports to get it done, but the easy path is still to use the steps in the web link with some additional steps added to the beginning.

On the PA-200

1. Export the running-config on the PA-200.

2. Go to Device > Setup > Management > Panorama Settings and click the gear in the upper right.

3. Click the option to Disable Panorama Policy and Objects and click the option to import the settings on the next popup.
4. Click the option to Disable Panorama Device and Network Template and click the option to import the settings on the next popup.

5. Once this has been completed, export the candidate-config.

6. Go to Device > Setup > Operations and click Revert to running configuration

On the PA-220

1. Import the candidate-config from the PA-200.

2. Make any changes needed to the configuration and then commit.

3. Follow steps in below link to import the device into Panorama under a new device group and template.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS

ce1028 · ‎09-23-2020

@TravisC

Thanks for the response. Understood and this is normal, but for this specific customer, they already have a device group and template. They want the PA-220 to be in the existing template and device. The PA-200 has a mix of panorama and local config on it.

import device state order

import device state order

Show your appreciation!