Moving Colo Datacenter

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Moving Colo Datacenter

L4 Transporter

Hi folks,

 

We got some dreaded news that our colo vendor is not renewing lease and we are now moving.

We have two 3020 firewalls configured in HA.

 

I am looking for any general comments that could help in my direction.

 

One thought:

  • Break HA.
  • Take secondary firewall over to new colo datacenter.
  • Edit secondary firewall configuration for new IPs.
  • Make secondary, new primary.
  • Bring over original primary, make secondary, sync new config.

 

Anyone have comments from experience?

1 accepted solution

Accepted Solutions

Hello,

The config is just an xml file soas long as the formatting is correct, a find/replace should work just fine. I would recommen making a copy or two and just have them, but worst case you have the one in the old colo to refer to.

 

Obivously once you do the find/replace and boot the device, go through the config to make sure its correct and test it out the best you can.

 

Cheers!

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

Once you break HA there is no more Primary/Secondary so I have modified your steps a bit just to be safe.

  • Shutdown secondary firewall
  • Disable HA on remaining functioning firewall
  • Take secondary firewall over to new colo datacenter.
  • Edit secondary firewall configuration for new IPs
  • At new Colo, make sure the current running firewall has a lower 'Device Priority' than the one you are brining over
  • Bring over original primary and cable up
  • fire up the original primary and make sure to push a config sync from old secondary to old primary

Hope that makes sense.

 

Good luck!

Thank you @OtakarKlier

 

I am wondering if there are an suggestions for editing the config?

After I do a rule cleanup, could use find/replace in config file for public IPs?

 

Sounds scary, but wondering if most config could be populated that way or other, besides only combing through and changing every rule, etc. manually.

Hello,

The config is just an xml file soas long as the formatting is correct, a find/replace should work just fine. I would recommen making a copy or two and just have them, but worst case you have the one in the old colo to refer to.

 

Obivously once you do the find/replace and boot the device, go through the config to make sure its correct and test it out the best you can.

 

Cheers!

Thank you @OtakarKlier   !!!

 

Yea, would certainly review and test.  Trying to have it in place ahead of time and validate what we can before moving all the servers over.  We do all our routing through the PA firewall.

I recently moved my company from an owned DC to a CoLo.  I did essentially what you documented except used our "OSS" (On-Site Spare).

 

The set-up was DC 1 <--> DC 2.  I prestaged a third 3020 OSS in the new DC (DC 3).  I moved HA to DC 2.  Went into the Palo portal and said DC 1's FW was "broken" which transferred the licensing and functionality from DC 1 FW to DC 3's FW.  

 

I then HA peered DC 2 and DC 3's FWs.  Once that was squared aware I made DC 3's FW active taking over from DC 2.

 

The whole process took about 45 minutes never creating an outage and we didn't have to go hours running single threaded.

Thank you!  @Brandon_Wertz

 

Nice to have the OSS.  

I wonder if I will be able to transfer the Licensing, etc. to our secondary FW when time comes.

 

We will have downtime since we will be physically moving our servers, etc.  I plan to stand up maybe a test web server and cycle through IPs in the new config to get some level of validation before the servers and switches move in.

 

 

Hello,

The licenses should be easy to swap. You could even get your sales team involded, maybe they can give out temp licenses if you need them for a short time.

 

Cheers!

  • 1 accepted solution
  • 5062 Views
  • 7 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!