Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Migrating from PA-200 to 220 with HA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrating from PA-200 to 220 with HA

L0 Member

Hi all,

 

I am trying to migrate one of our customers from a PA-200 to a PA-220 AND add create an HA cluster with active/passive configuration with two PA-220's

 

I was wondering, what approach would you take in regard to achieving the above outcome?

 

1. Would you first configure the PA-220 in an HA configuration then migrate the configuration to the primary/active firewall in the HA cluster and perform a synchronization?

OR

2. Would you first migrate the configuration from the 200 to 220, confirm the configuration is restored correctly and then setup the HA Cluster?

 

Any help would be appreciated. Even if you could point me to some resources I could use, that would be very helpful. I've gone through a few guides and videos on how to configure HA Cluster but trying to figure out the best and the safest approach to achieve this.

 

Regards,

 

2 accepted solutions

Accepted Solutions

L7 Applicator
  1. Basic setup for the first PA-220 (MGMT Interface, Licenses, Dynamic Updates)
  2. Export the config from the PA-200 and import it to the PA-220. Before you commit make sure that you change the mgmt IP to the one set in step 1 (so that you don't have two devices with the same ip)
  3. Set up HA on the first PA-220
  4. Set up HA on the second PA-220
  5. Do a configuration sync from the first to the second PA-220
  6. ... and you should be good to go to replace the PA-200 with the PA-220 cluster

(this assumes that you will use the same dataplane interfaces on the pa-220 as on the pa-200)

View solution in original post

@MihirL,

Exactly as @Remo mentioned. Since your not going to a different series where your interfaces change I'm assuming that everything will stay exactly the same on the 220 as it was configured on the 200. 

Just to make the import easier and lessen any issues, get both devices on the same PAN-OS version prior to doing the configuration export/import process. So essentially upgrade the PA-200 to whatever version you're going to start out with on the PA-220, and then do the import/export.

 

The only caviat to this process is if you've changed the master key on your old unit (and you should have), the phash values and other encrypted elements of the configuration aren't going to match anymore. To fix this the PA-220 will need to have the same master key or you'll want to ensure that you create a new user before committing the imported configuration so that you have a superuser account you can actually login to and get the imported users to change there passwords. 

View solution in original post

4 REPLIES 4

L7 Applicator
  1. Basic setup for the first PA-220 (MGMT Interface, Licenses, Dynamic Updates)
  2. Export the config from the PA-200 and import it to the PA-220. Before you commit make sure that you change the mgmt IP to the one set in step 1 (so that you don't have two devices with the same ip)
  3. Set up HA on the first PA-220
  4. Set up HA on the second PA-220
  5. Do a configuration sync from the first to the second PA-220
  6. ... and you should be good to go to replace the PA-200 with the PA-220 cluster

(this assumes that you will use the same dataplane interfaces on the pa-220 as on the pa-200)

@MihirL,

Exactly as @Remo mentioned. Since your not going to a different series where your interfaces change I'm assuming that everything will stay exactly the same on the 220 as it was configured on the 200. 

Just to make the import easier and lessen any issues, get both devices on the same PAN-OS version prior to doing the configuration export/import process. So essentially upgrade the PA-200 to whatever version you're going to start out with on the PA-220, and then do the import/export.

 

The only caviat to this process is if you've changed the master key on your old unit (and you should have), the phash values and other encrypted elements of the configuration aren't going to match anymore. To fix this the PA-220 will need to have the same master key or you'll want to ensure that you create a new user before committing the imported configuration so that you have a superuser account you can actually login to and get the imported users to change there passwords. 

@Remo Thank you. I will follow this process.

@BPry Thank you for pointing this out. Will make sure that we have a superuser account configured on the 220 to have full access to the devices.

can you please send step by step details?
i have PA 220 and configure another 2 new Palo alto with same model PA220 with HA pair.

  • 2 accepted solutions
  • 6347 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!