09-23-2020 08:59 AM
I've done this successfully in the past, but cannot remember the proper order. I have a PA-200 that I want to replace with a PA-220. The PA-220 is in Panorama, its a device group + template.
1) configure the PA-220 with basic ip connectivity to Panorama, add the serial add it to the device group, template, push the config and then import the device state
2) import device state on the PA-220 and then add the serial to panorama, put the device in the device group/template and then try to push the config?
I feel the order is important but can't remember
09-23-2020 01:06 PM - edited 09-23-2020 01:06 PM
Is the existing device group and template the same one as what the PA-200 has, or is it a different one and you need to add the PA-200's local config and panorama config to the already existing device group and template?
09-23-2020 08:25 PM
The existing device group/template is the one that the PA-200 is currently in. Want to add the PA-220 to that same device group and template. PA-220 currently has no config on it.
09-24-2020 05:40 AM - edited 09-24-2020 05:45 AM
If the PA-200 is the only device in its device group and template, I would still recommend importing the Panorama configuration into the PA-200 locally, importing the PA-200's candidate-config into the PA-220, then importing the entire PA-220 into Panorama. You can always delete the original PA-200 template and device group and rename the PA-220 template and device group to have the original name. This is the easiest way to complete the task.
If you cannot replace the existing template and device group with a new one, then you are left with the XML XPath option. The below link has information on how it works.
Steps for using XML XPath:
1. Export the running-config from the PA-200 and name it PA-200-config
2. Import the PA-200-config into Panorama.
3. Log into the CLI and use the load config partial command to load parts of the PA-200-config into specific locations of the panorama's configuration.
Note: The network and zone configuration doesn't really load well using the load config partial. I would recommend just manually configuring that into the template if you need to.
Example command for migrating NAT rules:
load config partial from-xpath /config/devices/entry/vsys/entry/rulebase/nat to-xpath /config/devices/entry/device-group/entry[@name='DeviceGroup']/post-rulebase/nat mode merge from PA200-config.xml
The load config partial option requires items to be imported in a very specific way. Applications, Application-Groups, Addresses, Address Groups, Services, and Service Groups all have to be loaded prior to loading a security or nat rule. Interfaces should be loaded prior to loading a NAT rule.
09-24-2020 03:12 PM - edited 09-24-2020 03:17 PM
Hi @ce1028 ,
If you load the device state it will override everything that is currently configured. So with the first approach you really don't need the last step (importing device state). Establishing basic connectivity between PA-220 and Panorama, assigning device group and template and push should do the work.
You in your original post you didn't mentioned that current firewall have panorama and local config. This is huge difference, as the Panorama is not aware of the local config, so if you do the above will only apply the panorama config, but you will loose the local.
So in your can you need to perform the second approach - import device state (which will add panorama and local config to the 220), establish connectivity to panorama, assign group and template and push ( the push should only sync the config in panorama as the device state have already applied what it is in the panorama)
You can prepare the firewall in advance to have minimal down time:
1. Export device state from PA-200
2. Without connecting the new fw to any network, import device state to PA-220
3. Change the mgmt ip address manually on the new PA-220
4. Connect only mgmt interface for PA-220 and establish connection with Panorama
5. Assign same group and template as the old PA-200 to the new PA-220 and push to sync
6. During maintenance, move the cables from the dataplane interfaces from 200 to PA-220
7. (Optional) Push config to PA-220 again with enabled "Force template values" to for the old mgmt ip (which probably is still in the template) to the PA-220. Connection to panorama should re-establish
@TravisCyour approach seems over-complicated and I am not really sure it will work. You always talk only for running and candidate config, but if the FW is managed by panorama, running config file will not contain the panorama config so if you import PA-200 running to PA-220 you will transfer only small part of the config (only the PA-200 local config)
09-24-2020 04:04 PM
Exporting the candidate configuration from PA-200 is done after doing the 'Disable Panorama Policy and Objects' and 'Disable Panorama Device and Network Template' and clicking the option to import the settings on the next popup. This imports all of the Panorama configuration into the PA-200's candidate configuration as local config. The full configuration (Panorama pushed and local) can then be loaded in to the PA-220, where you can then import all of the configuration into Panorama as a new device group and template using the automated method listed in: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS
The XML XPath option is more complicated, but it allows you to pull pieces of the local configuration of the PA-200 directly into any device group or template and manage that from Panorama from that point on.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!