Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Import PA-500 config on PA-3020?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Import PA-500 config on PA-3020?

L4 Transporter

We have a 500 that we're replacing with a 3020 which arrived today.

 

Should I need to do anything to migrate the config across other than an export and import of the running config?

 

I know some things like ports will clearly need addressing but in terms of getting the base config across is there anything I need to be particularly aware of please?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

you should be able to simply export and import the configuration and be up and running in minutes

 

one of the few caveats would be if FIPS mode is enabled or the master key has been changed, in which case appropriate steps need to be taken to get the PA-3020 in the same operational mode before moving config, but other than that there should be no issues

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

you should be able to simply export and import the configuration and be up and running in minutes

 

one of the few caveats would be if FIPS mode is enabled or the master key has been changed, in which case appropriate steps need to be taken to get the PA-3020 in the same operational mode before moving config, but other than that there should be no issues

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization


@reaper wrote:

you should be able to simply export and import the configuration and be up and running in minutes

 

one of the few caveats would be if FIPS mode is enabled or the master key has been changed, in which case appropriate steps need to be taken to get the PA-3020 in the same operational mode before moving config, but other than that there should be no issues

 


Thanks, had a chat with an SE today who suggested the same, albeit Palo Alto seem very careful to use words like "should" rather than saying it will work.

 

The rough plan as of now is to setup the new 3020 using the management interface as if it's a brand new unit, so we'll activate licenses and update PANOS to the same as the 500, and ensure we have updates, then I'll pull the config across and see what happens when I hit commit.

 

Given the interfaces will match up I'm reasonably hopeful it'll go OK, just be nice if there was a bit firmer response from Palo Alto on what is/isn't officially recognised 🙂

Hi Admin,

 

as you properly noticed, if it is not listed in official documentation "should" is the best you will get 🙂

However, in practice, I have not experienced any major issues and I do import configurations very often (load configs from one device into another, non-matching models, for either a quick look or for replication).

There was a discussion with a bit more detail on hw upgrades and problems, shared here, explaining what might break, why, and what to do in such case.

 

As 3020 has more interfaces than 500, as long as you match all software updates and content versions, you should not see any problems, I would be suprised if you did. Problems I personally saw were almost always 2k or 4k into something else (as old boxes have more interfaces) or 5k into VM, or when importing multi-vsys configs into single-vsys devices, and I imported...lots of configurations 🙂

 

 If you get stuck, let us know what happened or open a TAC case - you will hopefully have some time to test it and not merely hours/minutes to replace them. In the worst case, you can always open TAC case in advance and submit tech support file from your PA-500 asking TAC to check if they can import it without problems into their lab 3020 device.

 

Best regards,


Luciano

Thanks Luciano, so what I did was get both boxes on the same revision of all updates, then as you say simply exported and imported and then committed the config and it took it first time with no complaining or anything.

 

So right now the new box is sitting in the rack waiting for a window to cut across - seemed remarkably easy 🙂

  • 1 accepted solution
  • 3450 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!