PA-3020 to PA-460 Migration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

PA-3020 to PA-460 Migration

L1 Bithead

Hi All,

We are migrating one of our PA-3020 to PA-460 next Monday. 

> PA-3020 is managed with the Panorama.

> Panorama is in the version 10.0.11 and the PA-3020 is in the version 8.1.18.

> Could you please help me with what all need to be considered while migrating this firewall to PA-460.

> Panorama is hosted on a VM.

> Can i just export the named configuration and current version of PA-3020 and import it to the PA-460 directly?

> Also the export includes the management details as well? If yes, just adding the new SN on the Panorama will be enough to get the connectivity to PA-460 and Panorama?

> If the version of PA-460 is 10.x.x and we exporting the configuration from PA-3020 version 8.1.18 will that be a problem?

> Also please share me the best practices during the migration so that it will be helpful for my future migrations.

 

Regards,

Sanjay S

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello @sanjay.ramaiah

 

thank you for the post!

 

Exporting configuration from PA-3020 and importing it to PA-460 will most likely result error. The difference in interfaces and hardware + different PAN-OS versions will prevent import and commit. Although there are ways to go around it, I believe it would be easier to bring PA-460 online with basic configuration to register it in Panorama, then push the configuration from Panorama. In this way, you can re-use existing configuration in Device Group / Template Stack. For Template, you will have to make modifications to accommodate differences in target device model like interfaces / HA setting,...

 

In order to assist further, could you please confirm whether PA-3020 is fully managed by Panorama or there is some configuration managed locally?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi Pavel,

Some of the configuration is managed locally.

Regards,

Sanjay S

Please help on this asap i need to provide complete change plan by End of today. Could you please help the steps on how to migrate the device which is managed by Panorama. From Panorama templates are being pushed and most of the configuration of the device is managed locally.

This is the first time planning the migration so please suggest the best way and best practices to follow please.

Cyber Elite
Cyber Elite

Thank you for reply @sanjay.ramaiah

 

below answer is the best I can come up with considering limited knowledge of your environment.

 

For the migration of the local device configuration, probably the easiest way are below steps:

 

1.)

Perform initial configuration of PA-460. Below links might be useful:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/integrate-the-firewall-in...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK

 

By following config from above links, you will be able to SSH/GUI to new Firewall. From here you can move to actual configuration migration.

 

2.)

SSH to PA-3020 and issue below commands. Ideally set logging session to text file.

> set cli config-output-format set
> set cli pager off
> configure
# show

 

then SSH to PA-460 and issue:

 

> set cli scripting-mode on

> configure

 

then paste the configuration you got from PA-3020. You can paste commands in bulk, but watch out for any errors. Ideally instead of blindly copy & paste all configuration, paste only what is relevant and want to move across to PA-460.

 

Since you will be going from PAN-OS 8.1 to 10.X there are some syntax differences that might require you to configure some of the part of the configuration from scratch. Personally, I would take an opportunity to move as much configuration as possible to Panorama and push it from there. By having configuration In Template / Device Group, you can in the future easily re-use / standardize configuration. I feel this is a better way to do it.

 

Regarding Panorama part, please check below steps.

 

1.)

Before you can onboard PA-460 to Panorama, you will have to make sure that Panorama runs the higher or the same PAN-OS version as managed Firewall. In your case, you are running PAN-OS 10.0.11 which is already end of life. PA-460 will be shipped either with 10.1.X or with 10.2.X, so Panorama upgrade is necessary.

 

2.)

After you complete Panorama upgrade, you can register Firewall in Panorama. You can follow this link: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-...

 

3.)

Personally, I would clone current Template/Template Stack of existing PA-3020 and made necessary modifications. Since PA-460 seems to have the same function, I would place it to the same Device Group. After these settings are in place, I would push this to PA-460. If there is no error, I would plan for cut over.

 

4.)

Personally, on the day of cut over, I would announce maintenance window and move cable across from PA-3020 to PA-460. You did not mention whether you have HA pairs, if yes, I would plan cut over differently with less downtime. Since device is already per-configured either locally or from Panorama, the migration day should be only about cabling and troubleshooting.

 

It is likely that during preparation for this migration you will come across all sorts of issues or errors. You can share it here, if I know the solution I will follow up with it.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!