This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Migration from HA pair PA-3220 running PanOS 9.1.16 to HA pair of PA-1420 running 11.0.2

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migration from HA pair PA-3220 running PanOS 9.1.16 to HA pair of PA-1420 running 11.0.2

Go to solution
Manu_P
L2 Linker

‎07-14-2023 05:36 AM

Hello,

as the Subject' saying, i'm facing this issue - what is the recommended procedure?

While I'm considering upgrading my 3220 pair to 10.1.10 prior to migration (I'm not that keen to go all the way to 10.2.4) and i'd prefer to avoid the upgrade process entirely if possible -  so the Subject still stands.

 

As it is now, my setup is running 5 vsys, has hundreds of objects defined, some overall 25 zones defined, hundreds of rules, certificates imported/generated for forward or inbound decryption, a globalprotect config with azure mfa auth, some tens of ipsec tunnels, etc.

It's not overly complicated, but still it would take me quite a while to redo that config manually on the new pair, so what are the options?

 

Thank you

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎07-14-2023 08:06 AM

Hello,

I would first export the configuration from one of the 3220's and put it onto the 1420 and see if there are any errors or warnings etc. Then fix any errors or warnings on the 1420 and see if the config is the same/similar. As long as the interfaces are the same, you should be able to just move the cables during a maintenance window and be good to go.

The other option could be to use the Expedition tool. I personally have not use the Expedition tool, but hopefully someone who has can reply as well.

https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

 

Regards,

View solution in original post

Go to solution
Manu_P
L2 Linker

‎07-24-2023 07:38 AM

To give at least a sort of a closure to this thread, things went like that:

 

1. First, i updated my PA-3220 HA Pair from 9.1.16 to 10.1.10 (because 11.0 allows to skip versions and 10.1 currently being the lowest accepted in the skip version upgrade path)

2. Then i tried to import the config on 1420, but it failed and it complained about HA and about management port (my HA setup is using the management port for ha1 backup, but i get the feeling that if i was using ha1b for backup it would have worked)

3. I used notepad++ to edit the 3320 exported xml config file and i removed the entire <high-availability>  </high-availability> section.

4. After that, the edited config imported successfully, no errors, no warnings, nothing. The config seems to be fully functional0

 

Next steps would be to reconfigure the HA and sync the config to the secondary PA1420

And, of course, to set a maintenance window to move the cables from the 3320 to 1420 pair

View solution in original post

2 REPLIES 2

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎07-14-2023 08:06 AM

Hello,

I would first export the configuration from one of the 3220's and put it onto the 1420 and see if there are any errors or warnings etc. Then fix any errors or warnings on the 1420 and see if the config is the same/similar. As long as the interfaces are the same, you should be able to just move the cables during a maintenance window and be good to go.

The other option could be to use the Expedition tool. I personally have not use the Expedition tool, but hopefully someone who has can reply as well.

https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

 

Regards,

Go to solution
Manu_P
L2 Linker

‎07-24-2023 07:38 AM

To give at least a sort of a closure to this thread, things went like that:

 

1. First, i updated my PA-3220 HA Pair from 9.1.16 to 10.1.10 (because 11.0 allows to skip versions and 10.1 currently being the lowest accepted in the skip version upgrade path)

2. Then i tried to import the config on 1420, but it failed and it complained about HA and about management port (my HA setup is using the management port for ha1 backup, but i get the feeling that if i was using ha1b for backup it would have worked)

3. I used notepad++ to edit the 3320 exported xml config file and i removed the entire <high-availability>  </high-availability> section.

4. After that, the edited config imported successfully, no errors, no warnings, nothing. The config seems to be fully functional0

 

Next steps would be to reconfigure the HA and sync the config to the secondary PA1420

And, of course, to set a maintenance window to move the cables from the 3320 to 1420 pair

  • 2 accepted solutions
  • 1801 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks