Migrate Config between PA-500 and PA-2050

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrate Config between PA-500 and PA-2050

L1 Bithead

Hello,

 

we own a PA-500 Firewall but are some Versions behind in the OS. Now we want to update it but got an downtime estmiate from our local Palo-Alto vendor from 8 hours. (From Version 5 to 😎 Since we have some 24/7 Callcenters in house that's not an option to have such a long downtime.

 

We have the option to get a used PA-2050 for pretty cheap and I'd like to know if it's possible to migrate the Config hassle-free between those two Firewalls over the Config-snapshot-export/import or if there are any problems between different models. This way we could just copy the config and let the second model run for the time needed for the update.

 

Thanks for any advice someone could give me

2 accepted solutions

Accepted Solutions

L6 Presenter

Hi,

 

1) Both devices must be on the same PAN-OS

2) Physical interfaces mapping must match

3) Make sure your licences are activated on the 2050, especially URL filtering (if you use any)

4) Export config from the 500 and import it to the 2050

5) Use the option "validate changes"  before commit. This will give you a good indication if there are any errors

 

SS.png

 

6) Send GARP out when the devices are swapped 

View solution in original post

Cyber Elite
Cyber Elite

@TranceforLife gave you all of the right technical details of what you would need to do. You will need to edit the configuration to get the interfaces to line up since you gain interfaces on the PA-2050 that you wouldn't have had on the PA-500; that is simple enough to do. 

One thing that I would bring up is if you really want to be purchasing a used PA-2050 to bring things in line, or if you would benefit from getting an additional PA-500 and having an HA setup? The PA-2050 if a pretty decent upgrade over the PA-500 but you are locking yourself into the same exact issue that you have currently; eventually you are going to be severely out of date again and you will have to repeat the process.

 

BTW: Just as a side not I really hope your vendor is not recomendding you upgrade to 8 already if you can't afford downtime. I would strongly advise that you stop at the latest 7.1.* and not continue to 8 if you have 24/7 callcenters that can't live with downtime. PANos 8 is still very much early in it's lifecycle and has enough bugs in the build that I wouldn't run it in production, let alone production in a 24/7 enviroment. 

View solution in original post

7 REPLIES 7

L6 Presenter

Hi,

 

1) Both devices must be on the same PAN-OS

2) Physical interfaces mapping must match

3) Make sure your licences are activated on the 2050, especially URL filtering (if you use any)

4) Export config from the 500 and import it to the 2050

5) Use the option "validate changes"  before commit. This will give you a good indication if there are any errors

 

SS.png

 

6) Send GARP out when the devices are swapped 

Thank you very much!

 

I just have some follow up questions.

 

Is a support-contract a requirement to update the os-version? Because the used 2050 is end-of-life and according to the "second-market-policy" of Palo Alto, end of life devices dont get any new license activations or support. So we couldnt get it to the same version if thats required.

 

 

 

 

 

 

Cyber Elite
Cyber Elite

@TranceforLife gave you all of the right technical details of what you would need to do. You will need to edit the configuration to get the interfaces to line up since you gain interfaces on the PA-2050 that you wouldn't have had on the PA-500; that is simple enough to do. 

One thing that I would bring up is if you really want to be purchasing a used PA-2050 to bring things in line, or if you would benefit from getting an additional PA-500 and having an HA setup? The PA-2050 if a pretty decent upgrade over the PA-500 but you are locking yourself into the same exact issue that you have currently; eventually you are going to be severely out of date again and you will have to repeat the process.

 

BTW: Just as a side not I really hope your vendor is not recomendding you upgrade to 8 already if you can't afford downtime. I would strongly advise that you stop at the latest 7.1.* and not continue to 8 if you have 24/7 callcenters that can't live with downtime. PANos 8 is still very much early in it's lifecycle and has enough bugs in the build that I wouldn't run it in production, let alone production in a 24/7 enviroment. 

If you do have access to the support portal  (using the account from another device) you "might" be able to download the PAN-OS manually and install 

The used PA-2050 is not meant to stay online longer than the update progress needs. It's just a quarter of the money our vendor would take to send us a technican who would do the upgrade AND he wouldnt bring a second device to have the smallest downtime possible. The added power is not really needed and since it's EoL we couldn't get any licences onto the machine (we only have threat prevention as far I'm informed)

 

So we would just keep it to have a backup and for future os-updates.

 

The point with the 8 is good to know. Thanks for that and your input.

@lenmar honestly I would start looking at another vendor at that point. We always had 'emergency' replacement equipment on hand that was generally equipment either used for demonstaration or equipment left from upgrades. We commonly used this in these types of situations to minimize downtime with a very small or no fee. It doesn't really sound like your vendor is giving you a 'value add' at all.

The config migration may get a little more complicated at that point but your vendor should be able to grab panOS files for whatever exact version you are running on the pa-500 so that you can match on the pa-2050. Then migrate the config and put it in place and you would be up and running. If they can't get you the files then you would have to do an indirect migration; you can do it by either rebuilding your current config on the PA-2050 and it really shouldn't cause any issues, or you could munipulate the XML directly it just gets to be more work. If you a pretty complicated/large config on the PA-500 then I would look at an XML munipulation upgrade to prevent you from having to actually rebuild the configuration at all, if it's a smaller config then it would likely be less time consuming to actually rebuild the config from hand on the PA-2050. 

As a little wrap up: Yes you need a support contract to update a machine. Couldn't get the 2050 to the same OS-lvl as the 500 since updates couldn't be loaded in the 2050. Our vendor only could provide us with update-packages for the 500.

 

Just copied the config step by step with an xml editor and had to ship around some missing functions and changing numbers and structure of the xml (e.g. pan OS 4 can only handle 10 proxy-ips per tunnel but we had sometimes way more). Config ist now up and running.

 

Thanks for your help 🙂

  • 2 accepted solutions
  • 3794 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!