Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Migrating from PA-5250 to PA-5410

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrating from PA-5250 to PA-5410

L2 Linker

Hello folks,

 

i need to migrate from PA-5250 to PA-5410, the old devices are managed via panorama using stack and stack template, the new devices are reachable with no configuration other than the management.

What is the best way to move the configuration from the PA-5250 to the new PA-5410 with less effort?

Can i just add the 5410 in the existent template stack and push all the configuration?

Following a screenshot of the actual template stack.

I'm not expert in template so i need some help.

 

Thank you

PA.jpg

Bye

11 REPLIES 11

Cyber Elite
Cyber Elite

Hello @MAerre

 

thanks for post!

 

Yes, adding a new PA-5410 to existing Template Stack should be enough to push the configuration. I have done a few similar migrations in the past and except of some corner cases I have not faced any major issue.

 

Below are my thoughts how I would proceed with the migration.

 

1.) Make sure that new PA-5410 has all licenses / subscriptions activated. Also make sure that it has latest App/Threat package installed and running preferred PAN-OS.

 

2.) Add PA-5410 to the same Template Stack as PA-5250. Also do not forget to place PA-5410 to the same Device Group. Push Template and Device group configuration. If you are using Panorama also for collecting logs, do not forget to add PA-5410 to Panorama's log collector.

 

3.) Arrange maintenance window for cut over and move data plane cables from PA-5250 interfaces to PA-5410 interfaces. Be ready to clear ARP table in Layer 3 switch in the case GARP does not work.

 

4.) Clean up PA-5250 configuration from Panorama and decommission device.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi @MAerre ,

 

You should export and import the NGFW configuration 1st.  This will migrate any local configuration.  You will change the management IP address, of course.  Then you can connect it to Panorama; add it to the same device group and template stack; and push the config.  That should do it.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hello @PavelK,

 

thank you for you advises; following this procedure will configure the same interfaces used on the PA-5250 to PA-5410?
once i push the configuration will the actual management settings be overwritten on PA-5410?

Thank you

Cyber Elite
Cyber Elite

Hi @MAerre ,

 

Yes, the procedure will configure the same interfaces.  Interfaces 5-8 are SFP+ on the PA-5200 and copper on the PA-5400.  You may need to change those.  If those interfaces are configured in a template, you may need a new template.

 

I strongly recommend adding step 1 to @PavelK 's list export and import the config from the old to the new NGFW.  You may have some items configured locally.  This process will only migrate the local configuration on the NGFW.  You will need to change the management interface before commit.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thanks @TomYoung ,

 

tommorrow i'll do the configuration and let you know if it works or not 😉

meanwhile thanks for the advice

Hello,

 

just another question:

 

in the exported config i have this string:

 

<config version="10.2.0" urldb="paloaltonetworks" detail-version="10.2.8">

 

but new devices are on 10.2.7-h8, do i just need to replace this version in the string above?

can i also change the interfaces directly from the following config without create a new template:

 

<entry name="VWIRE-1">
<interface>
<member>ethernet1/5</member>
<member>ethernet1/6</member>
</interface>
<failure-condition>all</failure-condition>
</entry>
<entry name="VWIRE-2">
<interface>
<member>ethernet1/7</member>
<member>ethernet1/8</member>

 

thank you

regards

Cyber Elite
Cyber Elite

@MAerre,

The detail-version version doesn't matter if it's not accurate, but you can also just change it without consequence before you upload the configuration to the device without any issue. 

 

You can change the interface in the configuration without issue, just make sure you search for all instances of the interface that you're changing and update it throughout the configuration. You'll have some additional imports that need to be updated as well and the actual interface configuration outside of the snippit that you have shared.

Hi @BPry ,

the configuration is the same except for the management ip, the hostname and the interfaces used in the virtual-wire, all the other settings are the same.

the i 'll follow the procedure written before and should be ok.

 

thank you

Regards

 

L2 Linker

Hi guys,

 

i wal able to do what you said but i'm receiving some errors from panorama:

 

Details:
. Validation Error:
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source 'panw-bulletproof-ip-list' is not an allowed keyword
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source panw-bulletproof-ip-list is an invalid ipv4/v6 address
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source panw-bulletproof-ip-list invalid range start IP
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source 'panw-bulletproof-ip-list' is not a valid reference
. vsys -> vsys2 -> rulebase -> security -> rules -> BLOCK_EDL_IN -> source is invalid
. Warning: No valid threat content package exists
. Warning: No valid Antivirus content package exists
. fw-Domain (vsys2)
. Error: Failed to find address 'panw-bulletproof-ip-list'
. Error: Unknown address 'panw-bulletproof-ip-list'
. Error: Failed to parse security policy
. (Module: device)
. client device phase 1 failure
. Commit failed

 

 

. External Dynamic List Talos list is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.
. External Dynamic List github list is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.
. EDL(vsys2/github list ip) Downloaded file is not a text file.

 

i can't understand why i have this output, in the old template and on old devices this error is not present.....

 

any idea?

L4 Transporter

Hello @MAerre 

As @PavelK mentioned, you need to "1.) Make sure that new PA-5410 has all licenses / subscriptions activated. Also make sure that it has latest App/Threat package installed and running preferred PAN-OS."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNZgCAO 

Cheers,
Cosmin

Don't forget to Like items if a post is helpful to you!
Please help out other users and “Accept as Solution” if a post helps solve your problem!

Read more about how and why to accept solutions.

Hello @CosminM ,

 

thank yo man!  it worked, seemed the antivirus signatures were not updated.

 

 

  • 1485 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!