Migrate from PA-3050 to PA-3410

Hi @StuartSharp ,

I would love for you to try @OtakarKlier 's process and let us know how it works.  If you have any commit errors, the fix may be as simple as opening up the section in the GUI and filling in any missing parameters and commiting again.  If that becomes too painful, we can discuss other options.

Thanks,

Tom

Hello,

Are they in HA? If not you might be able to use the Expedition tool? Or worst case, build by hand from scratch :(.

Regards,

Hi @StuartSharp ,

08/29/24 UPDATE:  I replaced a PA-3060 on PAN-OS 9.1 with a PA-1410 on PAN-OS 11.0.  Step #4 - Export and import the configuration worked great!  I don't remember if I got any commit errors.  If I did, I probably just opened the configuration window related to the error and saved.  The NGFW upgraded the config syntax great!  The only issue I had was the master key was configured on the PA-3060, and I needed to configure it on the PA-1410 before I imported the configuration.  Sorry that I made the following steps more complicated than they needed to be.

If the NGFWs are in HA, then upgrading them will cause much less down time.  Upgrading is preferred to make the config as similar as possible.  Upgrading production NGFWs is unavoidable and should become routine.

With regard to your other question, the following is the complete answer I have given to the question of replacing an older NGFW with a newer one when the PAN-OS is different.

1. Panorama if you have it.  Replace the device or stage it by adding it to the same device group and template stack. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljGCAS.  Panorama must be greater or equal PAN-OS.
2. Expedition if you have the time to set it up and learn it.  The PANW migration tool, https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool, saves a lot of time with migrations.  You can still have a few commit errors from Expedition, although it is rare.
3. Find a spare PA NGFW that supports both 9.1 and 10.2 and use it.  In most cases any PA NGFW will do.  In rare cases, a few features will be missing if you use a lower end model.  You could even borrow an HA standby unit.
4. Import the old PAN-OS XML file and be prepared to work through commit errors.  Some sections can be fixed on the GUI by filling in blanks or deleting and recreating.  Or you may want to use the CLI, which should show the incorrect parameter causing the error.  Some people on this community say the NGFW will convert it.  If the commit errors are few, this may be the easiest.  I have never tried it, and would like to hear if someone has done this.  (Edit:  Thanks @kbe !  He imported the device state and used the XML to fix the commit errors.)
5. You could also cut-and-paste on the CLI and work through each error.  Ugh!

Thanks,

Tom

Done a migration from 3020 to 3410.

But no HA, no Panorama.

Interfaces where no problems between 3020 and 3410. I do not know the 3050, so please check before if interfacec match concerning numbering and type.

Bring the 3050 to the latest OS.

Export the config and export the device state.

Prepare the 3410, upgrade OS, upload apps update, etc. but do not put it in production environment.

Import the device state from 3050 (so all certs are also imported which are not part of the config).

Check config, name, mgmt IP,...

I had to correct some issues in the config directly in the xml but this was no big deal.

After device state import i got a commit error

Result

Failed

Details

• Validation Error:
• log-settings -> correlation unexpected here
• log-settings is invalid
• shared is invalid

Exported the running config, deleted something from correlation logs in the xml, imported the xml and then commit worked.

Biggest issue i had after putting it in production: Encryption worked but after some days any traffic went down and 3410 neede to be restarted. Thena same error after about 5-7 days.

It' s a known issue in 10.2.3 PAN-206005 when in decryption strip ALPN is not selected. Also have some trouble with daily PDF reports. TAC says it will be fixed in 10.2.4.

HTH

Hi @kbe ,

Thanks for sharing!

Tom

Me again. I've managed to get access to an up and running Expedition vm. However, when I go to add a device the 3400 series is missing from the PA models you can select when adding a device. I've upgraded Expedition to the latest version to no avail. 

Any advice on that? 

Hi @StuartSharp ,

There are a couple of solutions to this issue.

1. You don't have to add a device to Expedition.  You can export the final config and import it into the NGFW.
2. You can send an email to fwmigrate@paloaltonetworks.com and see if they can assist in adding the device.

https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157

Thanks,

Tom