Migration path from PA-2020 to PA-820

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migration path from PA-2020 to PA-820

L0 Member

What is the correct way to migrate from a PA 2020 at PANOS currently at 6.1.16 (plan on upgrading to 7.0.14; the highest version show up in the avaliable releases) to a PA 820 at PANOS 8.0?  

 

 

1 accepted solution

Accepted Solutions

Good point!

 

then the option is an extra step to use another device for the "config" upgrade from 7.1 to 8.0  upgrade.

 

All the new PA models can only run PANOS 8.x.

So this is your path:

  •  Upgrade pa-2020 to 7.0.1  then to 7.1.0
  • Export config, modify XMLto match PA-xxx interfaces (running PANOS 7.1)
  • import on PA device capable of running 7.1 and 8
  • Export config, modify XMLto match PA-xxx interfaces
  • Import on PA-820, commit. test. Swap the ethernet cables

ps:  I don't recommend PANOS 8.0 for production at this moment.

 

View solution in original post

8 REPLIES 8

L6 Presenter

Hi,

 

l just recently migrated config from the 4020 > 3050 series. If you can upgrade 2020 to the latest 7.1.x  PAN-OS. Make sure you got same dynamic ulr filtering enabled on the both firewall.  Do config validation before the commin and look for the errors if any .You might need to change/tweak xml exported file manually in case some errors with the interfaces mismatch etc.

@TranceforLife nailed it. Just to add though as I'm not sure the 820 is going to be able to run anything less than 8.0? I would upgrade to whatever version you are going to run on the 820 before you attempt to migrate to the PA-820, while you can certainly complete the migration even if you are not running the same PANos version it's usually less prone to issues if you at least match the version number as close as possible. 

L3 Networker

All the new PA models can only run PANOS 8.x.

So this is your path:

  •  Upgrade pa-2020 to 7.0.1  then to 7.1.0 then to 8.0
  • Export config, modify XML to match PA-820 interfaces
  • Import, commit. test. Swap the ethernet cables

ps:  I don't recommend PANOS 8.0 for production at this moment.

Unfortunelty 2000 series can only support up to 7.1 PAN-OS same as 4000:

 

https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dat...

Good point!

 

then the option is an extra step to use another device for the "config" upgrade from 7.1 to 8.0  upgrade.

 

All the new PA models can only run PANOS 8.x.

So this is your path:

  •  Upgrade pa-2020 to 7.0.1  then to 7.1.0
  • Export config, modify XMLto match PA-xxx interfaces (running PANOS 7.1)
  • import on PA device capable of running 7.1 and 8
  • Export config, modify XMLto match PA-xxx interfaces
  • Import on PA-820, commit. test. Swap the ethernet cables

ps:  I don't recommend PANOS 8.0 for production at this moment.

 

Thanks everyone for the information.

 

We don't have any other PA devices currently besides the PA-2020, so the migration may be difficult.  It looks like I may need to manually recreate my config, unless PA support would be able to take a saved config and run it though devices they have to do the upgrades. 

 

When do you think you would recommend the PANOS 8 in production?  I am looking at replacing our PA-2020 by May.  The renewal cost for a PA-2020 services and support are close to the same price as a new PA-820 with a year of services and support.

@itoffice, I don't think anybody could really help you figure out when people are willing to use it prime time. One thing to keep in mind is that, while 8.0 has issues, depending on what features you are running it may work perfectly fine for you. 7.1 wasn't stable in our environment until 7.1.4, but I had some environments which were running 7.1.1 without any issues, so it really all depends on the environment. 

 

You do not have to do a direct migration from a 8.0 box to an 8.0 box. Converting the 7.1.x config that your 2020 is capable of running to the 8.0 running on the 820 is perfectly doable as long as you edit the config to match the interfaces that the 820 actually has. Think about it, any update performed to get to 8.0 is essentially taking a 7.1.x config and making it 8.0 capable. You may run into more issues simply because there are more moving parts to perform the migration than if you were going to a device running the same version, but this is certainly doable without an intermediate device. 

L2 Linker

We've upgraded from PA-2050 (panos 7.1, 1 vsys) to PA-820 (panos 8.0.1, 1 vsys) the following way:

  • Save and export named configuration on PA-2050: pa2050-config-migration
  • Save and export named configuration on PA-820: pa820-config-premigration
  • Copied the password hash value for the admin user from pa820-config-premigration to pa2050-config-migration
  • Import and load the pa2050-config-migration on PA-820
  • Set admin password (as assurance) and commit
  • Globalprotect: download the desired version and activate on PA-820
  • Shutdown PA-2050 and move network cables to PA-820

Worked as expected after migrating the 7.1 config file to PA-820 (running panos 8.0.1). Features that worked as expected: globalprotect, ipsec tunneling, bgp routing.

  • 1 accepted solution
  • 5600 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!