PA Migration from 5050 to 5220 with below requirement-Suggesstions Request

Reply
Highlighted
L1 Bithead

PA Migration from 5050 to 5220 with below requirement-Suggesstions Request

Hi Team,

I have to Migrate PA from 5050 to 5220 for data center firewall.

We are using ASA for Internet.In PA data center firewall we have 2 vsys 1 for internal  another for DMZ.

Now the planis DC firewall we are migrating to 5220 afterthat ASA replaced by old 5050 Firewalls.

Task is we have to add 1 vsys in DC Firewall DMZ vsys in Internet firewall.

My plan is first migrte DC to New firewalls which is integrated with Panorama

later old firewall make it factory reset then migrate as per asa configuration then delete DMZ VSYS and configure to Internet firewalls.

Kindly suggest best practice as per this requirement.

Yazar Arafath
Highlighted
Cyber Elite

Hi @Yasar2020 

Prior to propose a migration procedure, are you going to use the 5050 for ssl decryption and if yes, how many users internettraffic should be protected by this firewall and what internet bandwidth do you have?

Highlighted
L1 Bithead

Thanks brother,

 

Exactly i am not sure how many users i will check and may i know how many maximum we can use for this 5050 and ssl decryption and bandwidth limitation please share these stuff so i will inform them before doing any changes.

 

Thanks for you response awaiting for your response.

 

Yazar Arafath
Highlighted
Cyber Elite

Hi @Yasar2020 

It really depends on the internetactivity. In my case we had situations where our 5050s were exhausted with 250mbps of internet traffic. The sessioncount I think was somewhere arount 18'000 concurrent sessions with about 12'000 decrypted sessions (it's already a while ago since I replaced them, so I am not 100% sure if I remember correctly). But with more and more websites offering decryption with stronger algorithms, the 5050 will probably have even faster not enough computing capacity for tls decryption. Without decryption the 5050s are probably still fast enough, but you cannot go higher than PAN-OS 8.1 which is also a point you should keep in mind when using these as internet firewall.

Highlighted
L2 Linker

We did a similar migration, I can suggest you this:

1. Register the new 5220 on the panorama and create different template and template stack for it.

2. Do manual configurations on the new firewalls, interfaces, VR, zones, profiles, ldap and everything. Ensuring the only interfaces connected in the network is only the management interface. (this will ensure no network conflict, when you configure interfaces)

3.Once the templates are pushed to devices through panorama, then you can add this firewall in the same device group as the internal Vsys.

4. Now when you do a device push, it will download all the same policies and NATs of the 5020 Internal Vsys on the new firewall.

5. download the Internal vsys configs and compare it with your 5220 config.

6. Build another vsys on the 5020 firewall for the internet ASA, and migrate all the config on this new vsys from the ASA.

7. when you have to do cutover, only remove the VR and zones from the interfaces configured in the internal VSYS on the 5020 and shut the vlans on the switch ports connected to the 5020 firewall.

8. enable the same vlans on the switch port connecting to the 5220 firewall.

9. shutdown the ASA and enable the new internet VSYS on the 5020 firewall.

 

Now at this point you should have new 5220 firewall with internal vsys and your 5020 firewall with internet and DMZ vsys.

 

the benefit of this method is quick rollback, in case required. You only have to shutdown the 5220 firewall and enable the VR and zones again in the internal vsys of the 5020 firewall and bring the ASA back into the network, which should just take 30 mins.

 

Hope this helps,

VR



Thanks & Regards,
Varun Rao
Senior Security Engineer, Victoria | Australia | NTT





Highlighted
L1 Bithead

Thanks brother.I really appreciate your response i will check and update the same.
Yazar Arafath
Highlighted
L1 Bithead

<p>Thanks brother.I really appreciate your response i will check and update the same.</p>

Yazar Arafath
Highlighted
L2 Linker

Sure, no worries mate. Do let us know how you went with it.



Thanks & Regards,
Varun Rao
Senior Security Engineer, Victoria | Australia | NTT





Highlighted
L1 Bithead

Hi Team,

palo alto 5050 to 5220 migration i need below clarification please suggest
--------------------------------------------------------------------------------------------
' Export device state (because firewall is managed by Panorama). Go to Device > Setup > Operations > Export device state.
 Import configuration snapshot/device state on the new firewall. Go to Device > Setup > Operations > Import named configuration snapshot OR Import device state.
 Load the config on the new firewall. (This step is not required if device state is imported). Go to Device > Setup > Operations > Load named configuration snapshot.
--------------------------------------------------------------------------------------------------

1.Export device state-This can be done by from panoramaor from individual firewall

2.Import configuration-named snopshot config --We exported Device state config how importing named snapshot config will work

3.Activating License once config management ip or after importing old configuration

4.Passive firewall named snapshot config will expect the ouput because it is currently passive

5.After Importing config do we need to add both firewalls or one by one if we do one by one different model so HA wont work.

 

 

Yazar Arafath
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!