- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-14-2018 11:51 PM - edited 08-14-2018 11:53 PM
Hi all,
I am trying to migrate one of our customers from a PA-200 to a PA-220 AND add create an HA cluster with active/passive configuration with two PA-220's
I was wondering, what approach would you take in regard to achieving the above outcome?
1. Would you first configure the PA-220 in an HA configuration then migrate the configuration to the primary/active firewall in the HA cluster and perform a synchronization?
OR
2. Would you first migrate the configuration from the 200 to 220, confirm the configuration is restored correctly and then setup the HA Cluster?
Any help would be appreciated. Even if you could point me to some resources I could use, that would be very helpful. I've gone through a few guides and videos on how to configure HA Cluster but trying to figure out the best and the safest approach to achieve this.
Regards,
08-15-2018 12:21 AM
(this assumes that you will use the same dataplane interfaces on the pa-220 as on the pa-200)
08-15-2018 05:43 AM
Exactly as @Remo mentioned. Since your not going to a different series where your interfaces change I'm assuming that everything will stay exactly the same on the 220 as it was configured on the 200.
Just to make the import easier and lessen any issues, get both devices on the same PAN-OS version prior to doing the configuration export/import process. So essentially upgrade the PA-200 to whatever version you're going to start out with on the PA-220, and then do the import/export.
The only caviat to this process is if you've changed the master key on your old unit (and you should have), the phash values and other encrypted elements of the configuration aren't going to match anymore. To fix this the PA-220 will need to have the same master key or you'll want to ensure that you create a new user before committing the imported configuration so that you have a superuser account you can actually login to and get the imported users to change there passwords.
08-15-2018 12:21 AM
(this assumes that you will use the same dataplane interfaces on the pa-220 as on the pa-200)
08-15-2018 05:43 AM
Exactly as @Remo mentioned. Since your not going to a different series where your interfaces change I'm assuming that everything will stay exactly the same on the 220 as it was configured on the 200.
Just to make the import easier and lessen any issues, get both devices on the same PAN-OS version prior to doing the configuration export/import process. So essentially upgrade the PA-200 to whatever version you're going to start out with on the PA-220, and then do the import/export.
The only caviat to this process is if you've changed the master key on your old unit (and you should have), the phash values and other encrypted elements of the configuration aren't going to match anymore. To fix this the PA-220 will need to have the same master key or you'll want to ensure that you create a new user before committing the imported configuration so that you have a superuser account you can actually login to and get the imported users to change there passwords.
08-15-2018 04:29 PM - edited 08-15-2018 04:33 PM
07-30-2020 12:12 AM
can you please send step by step details?
i have PA 220 and configure another 2 new Palo alto with same model PA220 with HA pair.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!