Migrating PA5020 to PA5220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrating PA5020 to PA5220

L0 Member

Hello, 

 

I am in the process of migrating an HA pair PA-5020 on version 8.1.22 to PA-5220 that shipped with version 10.1.3.  From what I researched the 5020 is end of life and can only go up to  OS ver to 8.1.*.  My thought was to downgrade the new PA-5220 from  10.1.3 to 8.1.22 and restore the configuration.  In the process of downgrading the PA5220 to 8.1.22, I got a failed message that said that the firewall cannot go lower than version 10.  How can I restore the config if I cannot get the new firewall to the same os level running on the PA5020?  Any help will be appreciated.

 

  



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @lizarraga ,

 

I can think of 5 ways to do it:

 

  1. Find a spare PA NGFW that supports both 8.1 and 10.1 and use it.  In most cases any PA NGFW will do.  In rare cases, a few features will be missing if you use a lower end model.  You could even borrow a standby unit.
  2. Panorama if you have it.  Add the new NGFW to the same template and device group as your old NGFW.  Panorama must be greater or equal PAN-OS.
  3. Expedition if you are familiar with it.  The PANW migration tool:  https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool saves a lot of time with migrations.
  4. Import the old PAN-OS XML file and be prepared to work through commit errors.  Some sections can be fixed on the CLI.  Others will need to be deleted and recreated in the GUI.  Some people on this community say the NGFW will try and convert it.  I have never tried it.
  5. You could also cut-and-paste on the CLI and work through each error.  Ugh!

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hello,

That PAN should be able to go to version 9.1.x. I say upgrade it to the newest version, then export the config and import into the new one. As already mentioned, there are features that will probably need to be configured once the code gets moved over.

Regards,

  • 2505 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!