PA Migration from 3050 to 5220 Appliances

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

PA Migration from 3050 to 5220 Appliances

L1 Bithead

Seeking a little bit of advice with an upcoming Migration we are performing. 

 

We currently have an HA pair of PA-3050's that are being managed within Panorama (M-200). This HA Pair, is one of (2) Perimeter Firewalls we have in place going to our ISP. So within Panorama this HA pair is in 2 device Groups. Which is making me second guess what the process should look like. 

 

Right now we basically have a Device Group for HA Pair 1, and HA Pair 2, that are separate, for applying rules that pertain to DMZ's that exist exclusively on those pairs, and then we have a Device Group that contains both Pair 1 and 2, which is for managing outbound Inet rules from internal networks. 

 

The plan is to save and export the configuration of both devices in this HA pair 1, and load and import them onto the 2 new 5220's. Then configure HA, and configure the ports, and verify configuration is good. 

 

But then when it comes to Panorama Management, would I have to Import the configuration of this device to Panorama and create a new solo object group for it, and remove the old HA pair group? -- then add it to the perimeter device group from there? 

 

Hoping my question makes sense here. 

 

Thanks, 

 

Marshall 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello @m.hughes1

 

thank you for the post!

 

Exporting configuration from PA-3050 and importing it to PA-5220 will most likely fail because of interface, hw differences. The workaround would be to export configurations from both Firewalls, then manually edit XML file from PA-3050 to match format of PA-5220, then import it to PA-5220. Since you mentioned that existing PA-3050 is managed by Panorama and new Firewall that will be replacement will also be managed by Panorama, you do not have to configure anything locally except of basic configuration to bring Firewall online to be registered in Panorama. Basically instead of importing configuration, you can push all configuration from Panorama's Device Group and Template Stack.

 

Regarding Panorama part, since existing Firewall and new one have the same function and configuration, I would personally recommend to clone existing, Template Stack, then edit it to accommodate configuration differences in HA and interfaces in new template. Regarding Device Group, I do not see any reason why not to place new Firewall into the same Device Group as existing Firewall.

 

As a next step, I would push the configuration from Panorama to PA-5220 while keeping all cables except of HA and management disconnected to prevent IP address duplication. On the day of migration, I would disconnect PA-3050 and cable PA-5220 to bring it online and complete Firewall migration.

 

As a final step, I would remove PA-3050 from Panorama and cleaned up unused configuration.

 

If I misinterpreted any part of your question or you would like to deep dive, do not hesitate to reply and ask. Such kind of migration is hard to tackle in a single reply.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thank you so much for your reply, this made a lot of sense. 

 

So here is where I stand right now, and the dilemma I have, 

 

I brought up the new 5220's, and I made the changes to the interface configurations, and cloned the template, and made a new template stack, and was able to get all of the template items pushed to the new 5220 HA pair through Panorama. 

 

But when it comes to the device group, we have roughly 500 NAT rules, a lot of which reference the interface in the translation; and since the interface is not the same it errors out when pushing to the devices. 

 

So my thought was to create a new device group since I can't use the old for the above reason. But I can't find any way to clone the Device Group, and I dont want to re-create 500+ ACLs and 500+ NAT rules. 

 

I looked it up and saw the partial load configuration command line, but I keep getting invalid syntax, and I tried creating a new Device Group and cloning just the NAT rules to it but that throws an error as well when I try to clone them to the new device group. 

 

Trying to find a way to get this device group cloned, so I can then edit the NAT translations to reflect the new interface mappings. 

Cyber Elite
Cyber Elite

Thank you for reply @m.hughes1

 

It is not possible to clone a Device Group, however my general approach would be to clone existing NAT rules to a new Device Group. You mentioned that it is throwing an error. Would you mind sharing what the error says? My guess is it is complaining about some dependency (Object, IP address,..) that is not present in new Device Group. 

 

Alternative approach would be to go to CLI and issue below commands with logging output into text file:

 

> set cli config-output-format set

> configure

# show device-group <Name of the Device Group>

 

The above command will output all configuration from Device Group. Look up all set commands for NAT paste them into text editor and edit config part that is erroring. If it is about interface or else, possibly you can do it in bulk with "find & replace" function in text editor. After you have final configuration, you can set:

 

> set cli scripting-mode on

# configure

 

then paste all NAT configuration back to Panorama. Do not forget to replace target Device Group in set commands to new Device Group. With scripting mode on, you can paste bulk configuration, however you should still watch out for any errors.

 

Do not forget to disable scription mode and commit:

 

> set cli scripting-mode off

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

I took a second look after you mentioned the error most likely being a conflict, and originally I was confused because the error referenced the serial numbers of the devices in the Original Device Group. But then I saw when the rule was created, they put those specific devices in the target field. So that was resolved. 


I will go through and clean up the rest of the conflicts. This seems to put me on the right track. 

  • 2770 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!