Migration from PA-500 to PA-3020

diennea · ‎03-07-2016

Hi,

I need to migrate from 2 PA-500 firewall in HA to 2 PA-3020 firewall in HA.

Should I use Migration Tool or there is a more simple way?

In caso I should use Migration Tool where can I find some sample about migration from PA to PA ?

Thanks

Regards

reaper · ‎03-08-2016

the major OS version needs to match, but as long as you're going up in model versions, especially from an 8 port PA-500 to a 12 + 4 port PA-3020, there should not be an issue (since the configuration on the 8 copper ethernet ports will seemlessly be supported on the PA-3020's 12 copper ethernet ports)

if you transport config from a PA-5050 to a PA-500, there could obviously be issues as the config may contain elements the smaller chassis does not comprehend

reaper - PANgurus.com
I drink and I know things

View solution in original post

santonic · ‎03-08-2016

It may result in failure in some cases (non matching interfaces etc.). But in majority cases it will work, just stick to same PAN-OS version when migrating (upgrade after migration if needed).

And if PA-3020 is new and not in production you can't cause any harm anyway. Just import it and see if any errors are reported.

View solution in original post

reaper · ‎03-08-2016

Unless you have set a master key or are running in FIPS mode, you can simply export the configuration file off of the PA-500 and Import it onto the PA-3020 without the need to make any changes, you can then simply load and commit

reaper - PANgurus.com
I drink and I know things

diennea · ‎03-08-2016

Hi,

I don't think so.

I read this document

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Save-an-Entire-Configuration-for-Imp...

here I read

"Importing an entire configuration into another Palo Alto Networks device may result of a device failure, replacement, or migration. The device configuration and security policy can be successfully exported and imported between devices as long as the following criteria are met:

Identical hardware model (PA-500 to PA-500, PA-5020 to PA-5020, and so on.)
- Importing configurations between non-matching hardware versions is not currently supported.
Identical major PAN-OS version (4.1.x to 4.1.x, 5.0.x to 5.0.x and 6.0.x)
- To import the configuration, upgrade the device to the same PAN-OS version prior to import."

reaper · ‎03-08-2016

the major OS version needs to match, but as long as you're going up in model versions, especially from an 8 port PA-500 to a 12 + 4 port PA-3020, there should not be an issue (since the configuration on the 8 copper ethernet ports will seemlessly be supported on the PA-3020's 12 copper ethernet ports)

if you transport config from a PA-5050 to a PA-500, there could obviously be issues as the config may contain elements the smaller chassis does not comprehend

reaper - PANgurus.com
I drink and I know things

View solution in original post

santonic · ‎03-08-2016

It may result in failure in some cases (non matching interfaces etc.). But in majority cases it will work, just stick to same PAN-OS version when migrating (upgrade after migration if needed).

And if PA-3020 is new and not in production you can't cause any harm anyway. Just import it and see if any errors are reported.

View solution in original post

diennea · ‎03-08-2016

Thank you very much.

I'll try

Lesgall · ‎10-28-2019

I am planning to work on the same migration (two PA500 and two PA3020 running HA). Did you run into any issue due to not having designated HA ports on the PA500 vs the PA3020? Did you run into any other issue not mentioned here?

Bigio12 · ‎10-29-2019

Hi,

no issues at all

All worked perfectly

diennea · ‎10-29-2019

Hi,

no issues at all.

All worked perfectly

Lesgall · ‎10-30-2019

Thank you!

Migration from PA-500 to PA-3020