09-11-2024 02:25 AM
Hello folks,
i need to migrate from PA-5250 to PA-5410, the old devices are managed via panorama using stack and stack template, the new devices are reachable with no configuration other than the management.
What is the best way to move the configuration from the PA-5250 to the new PA-5410 with less effort?
Can i just add the 5410 in the existent template stack and push all the configuration?
Following a screenshot of the actual template stack.
I'm not expert in template so i need some help.
Thank you
Bye
09-11-2024 04:56 AM
Hello @MAerre
thanks for post!
Yes, adding a new PA-5410 to existing Template Stack should be enough to push the configuration. I have done a few similar migrations in the past and except of some corner cases I have not faced any major issue.
Below are my thoughts how I would proceed with the migration.
1.) Make sure that new PA-5410 has all licenses / subscriptions activated. Also make sure that it has latest App/Threat package installed and running preferred PAN-OS.
2.) Add PA-5410 to the same Template Stack as PA-5250. Also do not forget to place PA-5410 to the same Device Group. Push Template and Device group configuration. If you are using Panorama also for collecting logs, do not forget to add PA-5410 to Panorama's log collector.
3.) Arrange maintenance window for cut over and move data plane cables from PA-5250 interfaces to PA-5410 interfaces. Be ready to clear ARP table in Layer 3 switch in the case GARP does not work.
4.) Clean up PA-5250 configuration from Panorama and decommission device.
Kind Regards
Pavel
09-11-2024 05:00 AM
Hi @MAerre ,
You should export and import the NGFW configuration 1st. This will migrate any local configuration. You will change the management IP address, of course. Then you can connect it to Panorama; add it to the same device group and template stack; and push the config. That should do it.
Thanks,
Tom
09-12-2024 01:52 AM
Hello @PavelK,
thank you for you advises; following this procedure will configure the same interfaces used on the PA-5250 to PA-5410?
once i push the configuration will the actual management settings be overwritten on PA-5410?
Thank you
09-12-2024 05:02 AM
Hi @MAerre ,
Yes, the procedure will configure the same interfaces. Interfaces 5-8 are SFP+ on the PA-5200 and copper on the PA-5400. You may need to change those. If those interfaces are configured in a template, you may need a new template.
I strongly recommend adding step 1 to @PavelK 's list export and import the config from the old to the new NGFW. You may have some items configured locally. This process will only migrate the local configuration on the NGFW. You will need to change the management interface before commit.
Thanks,
Tom
09-12-2024 07:13 AM
Thanks @TomYoung ,
tommorrow i'll do the configuration and let you know if it works or not 😉
meanwhile thanks for the advice
09-13-2024 07:24 AM
Hello,
just another question:
in the exported config i have this string:
<config version="10.2.0" urldb="paloaltonetworks" detail-version="10.2.8">
but new devices are on 10.2.7-h8, do i just need to replace this version in the string above?
can i also change the interfaces directly from the following config without create a new template:
<entry name="VWIRE-1">
<interface>
<member>ethernet1/5</member>
<member>ethernet1/6</member>
</interface>
<failure-condition>all</failure-condition>
</entry>
<entry name="VWIRE-2">
<interface>
<member>ethernet1/7</member>
<member>ethernet1/8</member>
thank you
regards
09-13-2024 07:27 AM
The detail-version version doesn't matter if it's not accurate, but you can also just change it without consequence before you upload the configuration to the device without any issue.
You can change the interface in the configuration without issue, just make sure you search for all instances of the interface that you're changing and update it throughout the configuration. You'll have some additional imports that need to be updated as well and the actual interface configuration outside of the snippit that you have shared.
09-13-2024 07:33 AM
Hi @BPry ,
the configuration is the same except for the management ip, the hostname and the interfaces used in the virtual-wire, all the other settings are the same.
the i 'll follow the procedure written before and should be ok.
thank you
Regards
09-20-2024 01:56 AM
Hi guys,
i wal able to do what you said but i'm receiving some errors from panorama:
Details:
. Validation Error:
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source 'panw-bulletproof-ip-list' is not an allowed keyword
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source panw-bulletproof-ip-list is an invalid ipv4/v6 address
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source panw-bulletproof-ip-list invalid range start IP
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source 'panw-bulletproof-ip-list' is not a valid reference
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source is invalid
. Warning: No valid threat content package exists
. Warning: No valid Antivirus content package exists
. fw-Domain (vsys2)
. Error: Failed to find address 'panw-bulletproof-ip-list'
. Error: Unknown address 'panw-bulletproof-ip-list'
. Error: Failed to parse security policy
. (Module: device)
. client device phase 1 failure
. Commit failed
. External Dynamic List Talos list is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.
. External Dynamic List github list is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.
. EDL(vsys2/github list ip) Downloaded file is not a text file.
i can't understand why i have this output, in the old template and on old devices this error is not present.....
any idea?
09-20-2024 02:06 AM
Hello @MAerre
As @PavelK mentioned, you need to "1.) Make sure that new PA-5410 has all licenses / subscriptions activated. Also make sure that it has latest App/Threat package installed and running preferred PAN-OS."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNZgCAO
09-20-2024 02:23 AM - edited 09-20-2024 02:29 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
