- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-14-2023 05:36 AM
Hello,
as the Subject' saying, i'm facing this issue - what is the recommended procedure?
While I'm considering upgrading my 3220 pair to 10.1.10 prior to migration (I'm not that keen to go all the way to 10.2.4) and i'd prefer to avoid the upgrade process entirely if possible - so the Subject still stands.
As it is now, my setup is running 5 vsys, has hundreds of objects defined, some overall 25 zones defined, hundreds of rules, certificates imported/generated for forward or inbound decryption, a globalprotect config with azure mfa auth, some tens of ipsec tunnels, etc.
It's not overly complicated, but still it would take me quite a while to redo that config manually on the new pair, so what are the options?
Thank you
07-14-2023 08:06 AM
Hello,
I would first export the configuration from one of the 3220's and put it onto the 1420 and see if there are any errors or warnings etc. Then fix any errors or warnings on the 1420 and see if the config is the same/similar. As long as the interfaces are the same, you should be able to just move the cables during a maintenance window and be good to go.
The other option could be to use the Expedition tool. I personally have not use the Expedition tool, but hopefully someone who has can reply as well.
https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool
Regards,
07-24-2023 07:38 AM
To give at least a sort of a closure to this thread, things went like that:
1. First, i updated my PA-3220 HA Pair from 9.1.16 to 10.1.10 (because 11.0 allows to skip versions and 10.1 currently being the lowest accepted in the skip version upgrade path)
2. Then i tried to import the config on 1420, but it failed and it complained about HA and about management port (my HA setup is using the management port for ha1 backup, but i get the feeling that if i was using ha1b for backup it would have worked)
3. I used notepad++ to edit the 3320 exported xml config file and i removed the entire <high-availability> </high-availability> section.
4. After that, the edited config imported successfully, no errors, no warnings, nothing. The config seems to be fully functional0
Next steps would be to reconfigure the HA and sync the config to the secondary PA1420
And, of course, to set a maintenance window to move the cables from the 3320 to 1420 pair
07-14-2023 08:06 AM
Hello,
I would first export the configuration from one of the 3220's and put it onto the 1420 and see if there are any errors or warnings etc. Then fix any errors or warnings on the 1420 and see if the config is the same/similar. As long as the interfaces are the same, you should be able to just move the cables during a maintenance window and be good to go.
The other option could be to use the Expedition tool. I personally have not use the Expedition tool, but hopefully someone who has can reply as well.
https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool
Regards,
07-24-2023 07:38 AM
To give at least a sort of a closure to this thread, things went like that:
1. First, i updated my PA-3220 HA Pair from 9.1.16 to 10.1.10 (because 11.0 allows to skip versions and 10.1 currently being the lowest accepted in the skip version upgrade path)
2. Then i tried to import the config on 1420, but it failed and it complained about HA and about management port (my HA setup is using the management port for ha1 backup, but i get the feeling that if i was using ha1b for backup it would have worked)
3. I used notepad++ to edit the 3320 exported xml config file and i removed the entire <high-availability> </high-availability> section.
4. After that, the edited config imported successfully, no errors, no warnings, nothing. The config seems to be fully functional0
Next steps would be to reconfigure the HA and sync the config to the secondary PA1420
And, of course, to set a maintenance window to move the cables from the 3320 to 1420 pair
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!