Migration from PA-500 to PA-3020

cancel
Showing results for 
Search instead for 
Did you mean: 

Migration from PA-500 to PA-3020

L3 Networker

Hi,

I need to migrate from 2 PA-500 firewall in HA to 2 PA-3020 firewall in HA.

Should I use Migration Tool or there is a more simple way?

 

In caso I should use Migration Tool where can I find some sample about migration from PA to PA ?

 

Thanks

Regards

2 ACCEPTED SOLUTIONS

Accepted Solutions

the major OS version needs to match, but as long as you're going up in model versions, especially from an 8 port PA-500 to a 12 + 4 port PA-3020, there should not be an issue (since the configuration on the 8 copper ethernet ports will seemlessly be supported on the PA-3020's 12 copper ethernet ports)

 

if you transport config from a PA-5050 to a PA-500, there could obviously be issues as the config may contain elements the smaller chassis does not comprehend

 

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

View solution in original post

It may result in failure in some cases (non matching interfaces etc.). But in majority cases it will work, just stick to same PAN-OS version when migrating (upgrade after migration if needed).

And if PA-3020 is new and not in production you can't cause any harm anyway. Just import it and see if any errors are reported. 

View solution in original post

9 REPLIES 9

L7 Applicator

Unless you have set a master key or are running in FIPS mode, you can simply export the configuration file off of the PA-500 and Import it onto the PA-3020 without the need to make any changes, you can then simply load and commit

 

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

Hi,

I don't think so.

I read this document

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Save-an-Entire-Configuration-for-Imp...

 

here I read

 

"Importing an entire configuration into another Palo Alto Networks device may result of a device failure, replacement, or migration. The device configuration and security policy can be successfully exported and imported between devices as long as the following criteria are met:

  1. Identical hardware model (PA-500 to PA-500, PA-5020 to PA-5020, and so on.)
    • Importing configurations between non-matching hardware versions is not currently supported.
  2. Identical major PAN-OS version (4.1.x to 4.1.x, 5.0.x to 5.0.x and 6.0.x)
    • To import the configuration, upgrade the device to the same PAN-OS version prior to import."

 

the major OS version needs to match, but as long as you're going up in model versions, especially from an 8 port PA-500 to a 12 + 4 port PA-3020, there should not be an issue (since the configuration on the 8 copper ethernet ports will seemlessly be supported on the PA-3020's 12 copper ethernet ports)

 

if you transport config from a PA-5050 to a PA-500, there could obviously be issues as the config may contain elements the smaller chassis does not comprehend

 

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

View solution in original post

It may result in failure in some cases (non matching interfaces etc.). But in majority cases it will work, just stick to same PAN-OS version when migrating (upgrade after migration if needed).

And if PA-3020 is new and not in production you can't cause any harm anyway. Just import it and see if any errors are reported. 

View solution in original post

Thank you very much.

I'll try

I am planning to work on the same migration (two PA500 and two PA3020 running HA). Did you run into any issue due to not having designated HA ports on the PA500 vs the PA3020? Did you run into any other issue not mentioned here?

Hi,

no issues at all

All worked perfectly

Hi,

no issues at all.

All worked perfectly

Thank you!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!