This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA 5050 & 5060 replacement with PA 5250

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.

PA 5050 & 5060 replacement with PA 5250

Gchander
L1 Bithead

‎11-15-2019 12:46 AM

Firewall upgrade/replacement

Dear All,

 

Can anyone please advise on any specific points to be taken care for a hardware replacements for a pair of firewall 5060 fully managed by Panorama & to be replaced with 5250. 

To me a high level plan looks like.

1. Prepare the new firewalls via importing device state with new mgmt ips to avoid any duplicate in network.

2. Test the failovers on the new pair.

3. Add the panorama server ip in the new firewalls.

4. Add the new serial numbers of the new firewalls to the Panorama under managed devices, match the threat & antivirus version, migrate the license?

5. Change the policy target to any in case of if any specific target group was selected.

6. Disconnect the secondary firewall to be replaced & power on the new 5560 unit.

7. Double check the priority on the firewalls to avoid any issues with taking over issues & make it the active.

8.Push the policy on the secondary firewall.

9. Create the device group.

 

Is there any thing else needs to be taken care? Does anything related to master key is required?

 

0 Likes Likes
1 REPLY 1

S.Cantwell
Cyber Elite
Cyber Elite

‎11-16-2019 10:45 AM

Excellent question

 

Here are steps from the Panorama 220 course.

 

Configure the management interface of the new firewall.
Review and update the PAN-OS software.
Review and update the dynamic updates.

 

Use the Palo Alto Networks Customer Support Portal to transfer license assignments from the serial number of the old firewall to the serial number of the new firewall

 

From the Panorama command line, execute one of the following commands:
> scp export device-state device <old-serial#> to <login> @ <ServerIP>: <path>
> tftp export device-state device <old-serial#> to <login> @ <serverIP>: <path>


To replace the serial number of the old firewall with the new one, execute the following commands:
> replace device old <old-serial#> new <new-serial#>
> configure
# commit

 

Access the management user interface of the new firewall:
Import the device state.
Perform a commit after the import is complete.

 

On Panorama:
Select Commit > Commit and Push and Edit Selections in the Push Scope.
Select the Device Groups tab and select the device group that contains the new firewall.
Select Include Device and Network Templates.

 

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !
0 Likes Likes
  • 3563 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks