cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Migration from PA-500 to PA-3020

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
diennea
L3 Networker
‎03-07-2016 08:43 AM
‎03-07-2016 08:43 AM

Migration from PA-500 to PA-3020

Hi,

I need to migrate from 2 PA-500 firewall in HA to 2 PA-3020 firewall in HA.

Should I use Migration Tool or there is a more simple way?

 

In caso I should use Migration Tool where can I find some sample about migration from PA to PA ?

 

Thanks

Regards

0 Likes
Reply

Accepted Solutions
reaper
L7 Applicator
‎03-08-2016 04:46 AM
‎03-08-2016 04:46 AM

the major OS version needs to match, but as long as you're going up in model versions, especially from an 8 port PA-500 to a 12 + 4 port PA-3020, there should not be an issue (since the configuration on the 8 copper ethernet ports will seemlessly be supported on the PA-3020's 12 copper ethernet ports)

 

if you transport config from a PA-5050 to a PA-500, there could obviously be issues as the config may contain elements the smaller chassis does not comprehend

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

Reply
santonic
L5 Sessionator
‎03-08-2016 04:49 AM
‎03-08-2016 04:49 AM

It may result in failure in some cases (non matching interfaces etc.). But in majority cases it will work, just stick to same PAN-OS version when migrating (upgrade after migration if needed).

And if PA-3020 is new and not in production you can't cause any harm anyway. Just import it and see if any errors are reported. 

View solution in original post

Reply

All Replies
reaper
L7 Applicator
‎03-08-2016 02:48 AM
‎03-08-2016 02:48 AM

Unless you have set a master key or are running in FIPS mode, you can simply export the configuration file off of the PA-500 and Import it onto the PA-3020 without the need to make any changes, you can then simply load and commit

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
0 Likes
Reply
diennea
L3 Networker
‎03-08-2016 03:56 AM
‎03-08-2016 03:56 AM

Hi,

I don't think so.

I read this document

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Save-an-Entire-Configuration-for-Imp...

 

here I read

 

"Importing an entire configuration into another Palo Alto Networks device may result of a device failure, replacement, or migration. The device configuration and security policy can be successfully exported and imported between devices as long as the following criteria are met:

  1. Identical hardware model (PA-500 to PA-500, PA-5020 to PA-5020, and so on.)
    • Importing configurations between non-matching hardware versions is not currently supported.
  2. Identical major PAN-OS version (4.1.x to 4.1.x, 5.0.x to 5.0.x and 6.0.x)
    • To import the configuration, upgrade the device to the same PAN-OS version prior to import."

 

0 Likes
Reply
reaper
L7 Applicator
‎03-08-2016 04:46 AM
‎03-08-2016 04:46 AM

the major OS version needs to match, but as long as you're going up in model versions, especially from an 8 port PA-500 to a 12 + 4 port PA-3020, there should not be an issue (since the configuration on the 8 copper ethernet ports will seemlessly be supported on the PA-3020's 12 copper ethernet ports)

 

if you transport config from a PA-5050 to a PA-500, there could obviously be issues as the config may contain elements the smaller chassis does not comprehend

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374

View solution in original post

Reply
santonic
L5 Sessionator
‎03-08-2016 04:49 AM
‎03-08-2016 04:49 AM

It may result in failure in some cases (non matching interfaces etc.). But in majority cases it will work, just stick to same PAN-OS version when migrating (upgrade after migration if needed).

And if PA-3020 is new and not in production you can't cause any harm anyway. Just import it and see if any errors are reported. 

View solution in original post

Reply
diennea
L3 Networker
‎03-08-2016 05:00 AM
‎03-08-2016 05:00 AM

Thank you very much.

I'll try

0 Likes
Reply
Lesgall
L1 Bithead
‎10-28-2019 10:28 AM
‎10-28-2019 10:28 AM

I am planning to work on the same migration (two PA500 and two PA3020 running HA). Did you run into any issue due to not having designated HA ports on the PA500 vs the PA3020? Did you run into any other issue not mentioned here?

0 Likes
Reply
Bigio12
L0 Member
‎10-29-2019 01:50 AM
‎10-29-2019 01:50 AM

Hi,

no issues at all

All worked perfectly

0 Likes
Reply
diennea
L3 Networker
‎10-29-2019 01:54 AM
‎10-29-2019 01:54 AM

Hi,

no issues at all.

All worked perfectly

0 Likes
Reply
Lesgall
L1 Bithead
‎10-30-2019 10:49 AM
‎10-30-2019 10:49 AM

Thank you!

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks