01-11-2024 11:42 AM
I need to migrate 2 stand alone PA-220s to PA-440s. The current PA-220s are running PAN-OS 10.2.4-h2.
I would like to know the recommended process for doing this.
Can I backup the configuration and system state and restore it on the PA-440?
Do I use Expedition to migrate the current config to the new firewall?
Thank you in advance
01-11-2024 08:02 PM
Hi @EddieReyes ,
You can backup and restore the configuration to the PA-440s. I have done it a few times. It works great. Once you load and commit, you can login with the PA-220 admin password. You do not need to use Expedition, especially if your NGFWs are running the same PAN-OS.
You do not have to backup and restore system state, but that will work fine also. Here is a good discussion on the differences between the two.
Thanks,
Tom
02-08-2024 02:12 PM
Thank you, Alejandro.
I tried exporting and importing the device state, but the commit still failed like before. I tried several times and rebooted in between, but no cigar. I ended up having to import the SSCerts and provide the UserID account password and preshared keys for S2S tunnels. I was able to commit after that.
Like Tom, thank you for sharing your expertise. I appreciate that.
Eddie
01-11-2024 08:02 PM
Hi @EddieReyes ,
You can backup and restore the configuration to the PA-440s. I have done it a few times. It works great. Once you load and commit, you can login with the PA-220 admin password. You do not need to use Expedition, especially if your NGFWs are running the same PAN-OS.
You do not have to backup and restore system state, but that will work fine also. Here is a good discussion on the differences between the two.
Thanks,
Tom
01-16-2024 04:51 AM
Thank you, Tom. I appreciate the assist.
02-08-2024 10:37 AM
Tom:
I was able to migrate one of the PA-220 to a PA-440 without problems.
The other showed commit failures. One of the failures is because the self signed certificates have a Block Private Key icon next to the Key check. I tried manually exporting and importing the certs, but then i had a commit failure due to the Service Account password used under User ID. Have you ever seen this?
Thanks.
Eddie
02-08-2024 10:56 AM
Hi @EddieReyes ,
Yes, I have! The master key may be different for the 2 NGFWs, and the new FW cannot decrypt the hash. Open configuration box in the GUI and retype the password. Then commit.
Thanks,
Tom
02-08-2024 11:09 AM
Tom:
I am sorry to ask but which master key are we talking about. I don't have a master key configured on either old or new firewall.
Is it under Master Key and Diagnostics? I am not using that.
Thanks.
Eddie
02-08-2024 11:23 AM
Hi @EddieReyes, could be you have an issue with the certificates for decryption
I recommended to download de device state in Device > setup > operation > export device state and this option export the private key from PA220, and for PA-440 apply the same option, so now you will import the device state and the private key reside in the new firewall, then apply commit
02-08-2024 11:25 AM
Hi @EddieReyes ,
Sorry that I wasn't clear! Open the GUI configuration for "Service Account password used under User ID" and retype the password.
Yes, Master Key and Diagnostics. The NGFW uses a default master key if it is not configured. You do not need to do anything for it.
Thanks,
Tom
02-08-2024 02:10 PM
No apologies needed, Tom. I really appreciate the help. I ended up having to import the SSCerts and provide the UserID account password and preshared keys for S2S tunnels. I was able to commit after that.
Thank you for sharing your expertise. I appreciate it.
Eddie
02-08-2024 02:12 PM
Thank you, Alejandro.
I tried exporting and importing the device state, but the commit still failed like before. I tried several times and rebooted in between, but no cigar. I ended up having to import the SSCerts and provide the UserID account password and preshared keys for S2S tunnels. I was able to commit after that.
Like Tom, thank you for sharing your expertise. I appreciate that.
Eddie
04-16-2024 02:17 PM
I'm not aware of Expedition, is that a separate tool? Also, I'm wondering about how the interfaces will line us since they aren't one-for-one. For example, the 220s have 8 ethernet interfaces 1/2-1/8, but the 445s have 9 interfaces with the mgmt. interface being at 1/1 and the rest from 1/2-1/9.
Thanks for you input!
04-17-2024 05:07 AM
Expedition is a Community supported Migration Tool.
I have used it to migrate from 4 ASAs and 1 Sonicwall to Palo Alto Firewalls. Those migrations went really well.
Here is a link if you want to learn more: https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
