This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Migrate from PA-3050 to PA-3410

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Migrate from PA-3050 to PA-3410

StuartSharp
L1 Bithead

‎02-14-2023 09:09 AM

Hi, 


I've been tasked with migrating from PA-3050 to PA-3410. The 3050 is on a customers premises running PAN-OS 8.1.11 and the 3410 we have in our lab running 10.2 at the moment. I note I cannot downgrade the 3410 to anywhere near 8.1. Does that mean I will need to upgrade the 3050 to suitable 10.2 version before I can export the config? Can a 3050 even run version 10.2?

 

 

0 Likes Likes
12 REPLIES 12

OtakarKlier
Cyber Elite
Cyber Elite

‎02-14-2023 10:24 AM

Hello,

The highest the 3050 can go is version 9.x. Here is what I would try:

  1. Upgrade the 3050 as high as it can go, including dynamic updates
  2. Prep the 3410 as best you can
    1. Management interface, get all licenses and dynamic updates
  3. export the config and import it into the 3410, then check for errors misconfigs etc.
    1. One thing to note is interface types, make sure they are like to like or be ready to order SFP's or cables, etc.
      1. You can change the config around but this could get messy.

Hope this helps.

 

TomYoung
Cyber Elite
Cyber Elite

‎02-14-2023 11:24 AM

Hi @StuartSharp ,

 

I would love for you to try @OtakarKlier 's process and let us know how it works.  If you have any commit errors, the fix may be as simple as opening up the section in the GUI and filling in any missing parameters and commiting again.  If that becomes too painful, we can discuss other options.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

StuartSharp
L1 Bithead
In response to TomYoung

‎02-14-2023 11:46 AM

Thanks guys.

Another issue is the PA-3050s are currently in production and upgrading may be difficult.
0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎02-14-2023 02:34 PM

Hello,

Are they in HA? If not you might be able to use the Expedition tool? Or worst case, build by hand from scratch :(.

Regards,

0 Likes Likes

StuartSharp
L1 Bithead
In response to OtakarKlier

‎02-14-2023 11:41 PM - edited ‎02-15-2023 01:09 AM

Hi, thanks for reply. They are in HA. Does that rule out the use of Expedition?

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎02-15-2023 02:36 AM - edited ‎02-15-2023 03:04 AM

Hi @StuartSharp ,

 

If the NGFWs are in HA, then upgrading them will cause much less down time.  Upgrading is preferred to make the config as similar as possible.  Upgrading production NGFWs is unavoidable and should become routine.

 

With regard to your other question, the following is the complete answer I have given to the question of replacing an older NGFW with a newer one when the PAN-OS is different.

 

  1. Panorama if you have it.  Replace the device or stage it by adding it to the same device group and template stack. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljGCAS.  Panorama must be greater or equal PAN-OS.
  2. Expedition if you have the time to set it up and learn it.  The PANW migration tool, https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool, saves a lot of time with migrations.  You can still have a few commit errors from Expedition, although it is rare.
  3. Find a spare PA NGFW that supports both 9.1 and 10.2 and use it.  In most cases any PA NGFW will do.  In rare cases, a few features will be missing if you use a lower end model.  You could even borrow an HA standby unit.
  4. Import the old PAN-OS XML file and be prepared to work through commit errors.  Some sections can be fixed on the GUI by filling in blanks or deleting and recreating.  Or you may want to use the CLI, which should show the incorrect parameter causing the error.  Some people on this community say the NGFW will convert it.  If the commit errors are few, this may be the easiest.  I have never tried it, and would like to hear if someone has done this.  (Edit:  Thanks @kbe !  He imported the device state and used the XML to fix the commit errors.)
  5. You could also cut-and-paste on the CLI and work through each error.  Ugh!

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

kbe
L3 Networker

‎02-15-2023 02:58 AM - edited ‎02-15-2023 03:02 AM

Done a migration from 3020 to 3410.

But no HA, no Panorama.

Interfaces where no problems between 3020 and 3410. I do not know the 3050, so please check before if interfacec match concerning numbering and type.

 

Bring the 3050 to the latest OS.

Export the config and export the device state.

Prepare the 3410, upgrade OS, upload apps update, etc. but do not put it in production environment.

 

Import the device state from 3050 (so all certs are also imported which are not part of the config).

Check config, name, mgmt IP,...

I had to correct some issues in the config directly in the xml but this was no big deal.

After device state import i got a commit error

Result

Failed

Details

  • Validation Error:
  • log-settings -> correlation unexpected here
  • log-settings is invalid
  • shared is invalid

Exported the running config, deleted something from correlation logs in the xml, imported the xml and then commit worked.

 

Biggest issue i had after putting it in production: Encryption worked but after some days any traffic went down and 3410 neede to be restarted. Thena same error after about 5-7 days.

It' s a known issue in 10.2.3 PAN-206005 when in decryption strip ALPN is not selected. Also have some trouble with daily PDF reports. TAC says it will be fixed in 10.2.4.

 

HTH

 

TomYoung
Cyber Elite
Cyber Elite

‎02-15-2023 03:01 AM

Hi @kbe ,

 

Thanks for sharing!

 

Tom

Help the community: Like helpful comments and mark solutions.

StuartSharp
L1 Bithead
In response to kbe

‎02-15-2023 03:07 AM

Great info, thank you

0 Likes Likes

StuartSharp
L1 Bithead

‎02-15-2023 06:51 AM

Me again. I've managed to get access to an up and running Expedition vm. However, when I go to add a device the 3400 series is missing from the PA models you can select when adding a device. I've upgraded Expedition to the latest version to no avail. 

 

Any advice on that? 

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎02-15-2023 07:58 AM - edited ‎02-15-2023 11:15 AM

Hi @StuartSharp ,

 

There are a couple of solutions to this issue.

 

  1. You don't have to add a device to Expedition.  You can export the final config and import it into the NGFW.
  2. You can send an email to fwmigrate@paloaltonetworks.com and see if they can assist in adding the device.

https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Tej_Savsani
L0 Member
In response to kbe

‎08-10-2023 09:46 AM

We have same issue when we are migrating from PA3220 to PA3410. we have followed below solution.

1) Export config from PA3410.

2) Open Config file on Editor (Notepad++) their is "correlation" config, remove that block [<correlation> ... </correlation>] and save it.

3) Load back new config file to firewall.

4) Validate config & commit... it's works.

 

  • 4118 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks