Migration of PAFW PA-5050 8.0.12 to PA-5220 Latest version

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migration of PAFW PA-5050 8.0.12 to PA-5220 Latest version

L1 Bithead

Hi,

I have planning to migrate PA-5050 HA version 8.0.12 to PA-5220-HA to latest version.

 

Constrains - The new PA-5220 cannot be downgraded to 8.0.12 to migrate the configuratoin.   PA-5050 are in production so can't be upgraded to suitable version of PA-5220.

 

Additional requirement - PA-5050 cfg has each interface for inside and ouside.  New PA-5220 firewall requires to have interface aggregation. 

 

What is the best way to address above to migration-constrains and requirement.

  

Please share your advice and suggestion.

 

Best Regards, Stay Safe.

 

 

6 REPLIES 6

Cyber Elite
Cyber Elite

@shrinivasswami 

Constrains - The new PA-5220 cannot be downgraded to 8.0.12 to migrate the configuratoin.   PA-5050 are in production so can't be upgraded to suitable version of PA-5220.

This seems unreasonable. The PA-5220 is going to be running whatever software version you deploy it out with, so upgrading the PA-5050s prior to PA-5220 deployment would ensure that you aren't going to run into any software bugs. Outside of that, I would at least perform the upgrade on the passive node (Assuming Active/Passive HA) so that you have a copy of the configuration for the target release. 

 

Additional requirement - PA-5050 cfg has each interface for inside and ouside.  New PA-5220 firewall requires to have interface aggregation. 

You want to aggregate the Trust and Untrust interfaces? 

 

 

Ideally, you would get the PA-5050 on the same software release that you'll be deploying the PA-5220s with, as I've mentioned above. Even if you only do it on the passive node, export the configuration, and revert everything again that will at least get you a baseline configuration to work with when you import that configuration into the PA-5220. 

When it comes to the interface aggregation you'll need to expand on what you are trying to do exactly. From the sounds of it, you'll want to look at sub-interfaces or aggregating what you fed into the PA-5050s through trunks and VLANs on the PA-5220 to keep the interface count down. 

Hi,

Thanks for your reply.  

 

* Idea is good to use break HA and use passive PA-5050 device and upgrade it.

 

We cannot touch the PA-5050 as they are in production. I will still try to discuss internally. But if take answer as NO, what options we have for migration ?

 

Old configuration (Trust/ Untrust) has single interface and has sub-interface, The new 5220 device we want to have link aggregation and failover (interface level).

 

My Plan
#1. PA-5220 downgrade close to PA 5050 device and migrate the configuration. Hope this works out.
#2. Use Expedition tool to migration and singe interface config to interface aggregation.

 

Please let me know if this works or any better plan.

 

 

Hi,

 

Today I have downgraded PAFW 5220 to 8.1.0 and imported the configuration from PAFW 5050 8.0.12, I am verifying the migrated configuration.

 

PAFW 5050  configuration has vlan's, virtual systems and security zone -  How do i create interface aggregation and re-map virtual systems, vlan's, zones?

 

Kindly share the idea or guidance.

 

Regards,

Hi,

 

Any Idea please.

 

Regards,

Shrinivas

@shrinivasswami,

What you are asking for is more akin to professional services. Simply configuring an aggregate interface isn't difficult, you can review the configuration documentation at the link provided at the bottom of this post. As for re-mapping everything this would depend on your individual configuration file, the only general guidance that can be provided is that you'll need to update the interface assignment in your zone configuration and update all of the routing information to utilize the new aggregate interfaces. 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/configure-...

Hi,

Thanks for your valuable reply.

 

Your comments really helped to some extent.  

 

Iam not asking for professional service.  What I am asking is an idea or way forward to address the concern.

 

Thanks again for your reply.

 

  • 4351 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!