PaloAlto Cluster migration from PA 5020 version 7.1.16 to PA 5220 version 8.1.8

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PaloAlto Cluster migration from PA 5020 version 7.1.16 to PA 5220 version 8.1.8

L2 Linker

HI,

I would like to migrate one old PA 5020  cluster version 7.1.16 to PA 5220 cluster version 8.1.8. I would appreciate if someone can help me with the process to follow for this migration. As this is my first PaloAlto firewall migration project and I don't have a document to follow. 

 

 

Thanks

JP

4 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@JyotiPrakash,

So this migration is actually going to be really straight-forward. You just need to bring your 5020s up to 8.1.8.

1) Ensure firewalls are on the same verison

2) Export the configuration of both peers

3) Import configurations from the 5020 to the 5220s

4) Load configuration to  the new PA-5220s

5) Verify configuration and correct any issues.

6) Commit.

 

View solution in original post

@JyotiPrakash ,

The migration tool would allow you to correct the validation issues before moving the configuration onto the 5220. 

The differences between the 5220 and the 5020 aren't large enough to give you any issues with importing and loading the configuration. You will have validation issues that you'll need to correct when the configuration is loaded, but once corrected the configuration will commit perfectly fin . 

You can use either method, but I personally find the migration tool annoying to actually get setup and work with if this is something you'll only do every 5 year . 

View solution in original post

Thanks, for me using the migration tool, is like an overhead but Export/Import seems an easy way for this migration. I was confused by the TAC guys really. Also, I have never done any PaloAlto migration in the past, so I don't have such experience. 

 

But I think it's now clear to use export/import to complete the migration. 

 

How can I validate the configuration before the final commit? Also, can do I need to do a factory reset of the new 5220 devices to load the latest backup?. My plan is to load the old export/import config first to fix the errors first and then latest config backup after that to make the final day cutover. 

View solution in original post

About 2 years ago I mirgated a 5060 paid to a 5220 pair following the same suggested path as @BPry.  You can easily modify the XML export to account for the port changes.  Also take note that HA config ports are also going to be different, but other than that it really is a much simpler process than it feels like it should be.  

 

I also agree that the migration tool is more work than it's worth for this task.

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

@JyotiPrakash,

So this migration is actually going to be really straight-forward. You just need to bring your 5020s up to 8.1.8.

1) Ensure firewalls are on the same verison

2) Export the configuration of both peers

3) Import configurations from the 5020 to the 5220s

4) Load configuration to  the new PA-5220s

5) Verify configuration and correct any issues.

6) Commit.

 

Thank you so much for your help in this. I had a case with PaloAlto TAC and they suggested to use their migration tool as the Export/Import will not work due to different hardware specification. I'm not sure if I need to use their migration tool or Export/Import back to restore on the new 5220 clusters.  Also, TAC informed that 5220 has different Interfaces and HA ports which has also a major difference. 

 

Could you please help me with this confusion.  

@JyotiPrakash ,

The migration tool would allow you to correct the validation issues before moving the configuration onto the 5220. 

The differences between the 5220 and the 5020 aren't large enough to give you any issues with importing and loading the configuration. You will have validation issues that you'll need to correct when the configuration is loaded, but once corrected the configuration will commit perfectly fin . 

You can use either method, but I personally find the migration tool annoying to actually get setup and work with if this is something you'll only do every 5 year . 

Thanks, for me using the migration tool, is like an overhead but Export/Import seems an easy way for this migration. I was confused by the TAC guys really. Also, I have never done any PaloAlto migration in the past, so I don't have such experience. 

 

But I think it's now clear to use export/import to complete the migration. 

 

How can I validate the configuration before the final commit? Also, can do I need to do a factory reset of the new 5220 devices to load the latest backup?. My plan is to load the old export/import config first to fix the errors first and then latest config backup after that to make the final day cutover. 

About 2 years ago I mirgated a 5060 paid to a 5220 pair following the same suggested path as @BPry.  You can easily modify the XML export to account for the port changes.  Also take note that HA config ports are also going to be different, but other than that it really is a much simpler process than it feels like it should be.  

 

I also agree that the migration tool is more work than it's worth for this task.

Thanks a lot for sharing your experience. I'm getting more confident after going through the real-time experiences shared by you all on this thread :).

 

Yes, I think I can change the HA ports once I import the device state backup?

 

Also, you can easily modify the XML export to account for the port changes??- How I can modify the XML export for the ports if you can please help me with this. 

 

thanks a lot for your help!!

Thanks a lot for sharing your experience. I'm getting more confident after going through the real-time experiences shared by you all on this thread :).

 

Yes, I think I can change the HA ports once I import the device state backup?

 

Also, you can easily modify the XML export to account for the port changes??- How I can modify the XML export for the ports if you can please help me with this. 

 

thanks a lot for your help!!

  • 4 accepted solutions
  • 8030 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!