PA-220 to PA-440 Migration Recommended Process

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

PA-220 to PA-440 Migration Recommended Process

L2 Linker

I need to migrate 2 stand alone PA-220s to PA-440s.  The current PA-220s are running PAN-OS 10.2.4-h2.

I would like to know the recommended process for doing this.

Can I backup the configuration and system state and restore it on the PA-440?

Do I use Expedition to migrate the current config to the new firewall?

Thank you in advance

 

Eddie Reyes, PCNSA
2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @EddieReyes ,

 

You can backup and restore the configuration to the PA-440s. I have done it a few times.  It works great.  Once you load and commit, you can login with the PA-220 admin password.  You do not need to use Expedition, especially if your NGFWs are running the same PAN-OS.

 

You do not have to backup and restore system state, but that will work fine also.  Here is a good discussion on the differences between the two.

 

https://live.paloaltonetworks.com/t5/general-topics/what-s-the-difference-between-each-of-export-bac...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

Thank you, Alejandro.

I tried exporting and importing the device state, but the commit still failed like before.   I tried several times and rebooted in between, but no cigar.  I ended up having to import the SSCerts and provide the UserID account password and preshared keys for S2S tunnels.  I was able to commit after that.  

Like Tom, thank you for sharing your expertise.  I appreciate that.

Eddie

Eddie Reyes, PCNSA

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

Hi @EddieReyes ,

 

You can backup and restore the configuration to the PA-440s. I have done it a few times.  It works great.  Once you load and commit, you can login with the PA-220 admin password.  You do not need to use Expedition, especially if your NGFWs are running the same PAN-OS.

 

You do not have to backup and restore system state, but that will work fine also.  Here is a good discussion on the differences between the two.

 

https://live.paloaltonetworks.com/t5/general-topics/what-s-the-difference-between-each-of-export-bac...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

Thank you, Tom.  I appreciate the assist.

Eddie Reyes, PCNSA

Tom:

I was able to migrate one of the PA-220 to a PA-440 without problems.

The other showed commit failures.  One of the failures is because the self signed certificates have a Block Private Key icon next to the Key check.  I tried manually exporting and importing the certs, but then i had a commit failure due to the Service Account password used under User ID.  Have you ever seen this?

Thanks.
Eddie

Eddie Reyes, PCNSA

Cyber Elite
Cyber Elite

Hi @EddieReyes ,

 

Yes, I have!  The master key may be different for the 2 NGFWs, and the new FW cannot decrypt the hash.  Open configuration box in the GUI and retype the password.  Then commit.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

Tom:

I am sorry to ask but which master key are we talking about.  I don't have a master key configured on either old or new firewall.  

Is it under Master Key and Diagnostics?  I am not using that.

Thanks.

Eddie

Eddie Reyes, PCNSA

Hi @EddieReyes, could be you have an issue with the certificates for decryption

I recommended to download de device state in Device > setup > operation > export device state and this option export the private key from PA220, and for PA-440 apply the same option, so now you will import the device state and the private key reside in the new firewall, then apply commit

PCSPI, PCNSCx3,PCNSEx4,, PCSAE,PCDRA

Cyber Elite
Cyber Elite

Hi @EddieReyes ,

 

Sorry that I wasn't clear!  Open the GUI configuration for "Service Account password used under User ID" and retype the password.

 

Yes, Master Key and Diagnostics.  The NGFW uses a default master key if it is not configured.  You do not need to do anything for it.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

No apologies needed, Tom.  I really appreciate the help.  I ended up having to import the SSCerts and provide the UserID account password and preshared keys for S2S tunnels.  I was able to commit after that.  

Thank you for sharing your expertise.  I appreciate it.

Eddie

Eddie Reyes, PCNSA

Thank you, Alejandro.

I tried exporting and importing the device state, but the commit still failed like before.   I tried several times and rebooted in between, but no cigar.  I ended up having to import the SSCerts and provide the UserID account password and preshared keys for S2S tunnels.  I was able to commit after that.  

Like Tom, thank you for sharing your expertise.  I appreciate that.

Eddie

Eddie Reyes, PCNSA
  • 2 accepted solutions
  • 802 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!