PaloAlto Cluster migration from PA 5020 version 7.1.16 to PA 5220 version 8.1.8

Reply
Highlighted
L2 Linker

PaloAlto Cluster migration from PA 5020 version 7.1.16 to PA 5220 version 8.1.8

HI,

I would like to migrate one old PA 5020  cluster version 7.1.16 to PA 5220 cluster version 8.1.8. I would appreciate if someone can help me with the process to follow for this migration. As this is my first PaloAlto firewall migration project and I don't have a document to follow. 

 

 

Thanks

JP


Accepted Solutions
Highlighted
Cyber Elite

@JyotiPrakash,

So this migration is actually going to be really straight-forward. You just need to bring your 5020s up to 8.1.8.

1) Ensure firewalls are on the same verison

2) Export the configuration of both peers

3) Import configurations from the 5020 to the 5220s

4) Load configuration to  the new PA-5220s

5) Verify configuration and correct any issues.

6) Commit.

 

View solution in original post

Highlighted
Cyber Elite

@JyotiPrakash ,

The migration tool would allow you to correct the validation issues before moving the configuration onto the 5220. 

The differences between the 5220 and the 5020 aren't large enough to give you any issues with importing and loading the configuration. You will have validation issues that you'll need to correct when the configuration is loaded, but once corrected the configuration will commit perfectly fin . 

You can use either method, but I personally find the migration tool annoying to actually get setup and work with if this is something you'll only do every 5 year . 

View solution in original post

Highlighted
L2 Linker

Thanks, for me using the migration tool, is like an overhead but Export/Import seems an easy way for this migration. I was confused by the TAC guys really. Also, I have never done any PaloAlto migration in the past, so I don't have such experience. 

 

But I think it's now clear to use export/import to complete the migration. 

 

How can I validate the configuration before the final commit? Also, can do I need to do a factory reset of the new 5220 devices to load the latest backup?. My plan is to load the old export/import config first to fix the errors first and then latest config backup after that to make the final day cutover. 

View solution in original post

Highlighted
Cyber Elite

About 2 years ago I mirgated a 5060 paid to a 5220 pair following the same suggested path as @BPry.  You can easily modify the XML export to account for the port changes.  Also take note that HA config ports are also going to be different, but other than that it really is a much simpler process than it feels like it should be.  

 

I also agree that the migration tool is more work than it's worth for this task.

View solution in original post


All Replies
Highlighted
Cyber Elite

@JyotiPrakash,

So this migration is actually going to be really straight-forward. You just need to bring your 5020s up to 8.1.8.

1) Ensure firewalls are on the same verison

2) Export the configuration of both peers

3) Import configurations from the 5020 to the 5220s

4) Load configuration to  the new PA-5220s

5) Verify configuration and correct any issues.

6) Commit.

 

View solution in original post

Highlighted
L2 Linker

Thank you so much for your help in this. I had a case with PaloAlto TAC and they suggested to use their migration tool as the Export/Import will not work due to different hardware specification. I'm not sure if I need to use their migration tool or Export/Import back to restore on the new 5220 clusters.  Also, TAC informed that 5220 has different Interfaces and HA ports which has also a major difference. 

 

Could you please help me with this confusion.  

Highlighted
Cyber Elite

@JyotiPrakash ,

The migration tool would allow you to correct the validation issues before moving the configuration onto the 5220. 

The differences between the 5220 and the 5020 aren't large enough to give you any issues with importing and loading the configuration. You will have validation issues that you'll need to correct when the configuration is loaded, but once corrected the configuration will commit perfectly fin . 

You can use either method, but I personally find the migration tool annoying to actually get setup and work with if this is something you'll only do every 5 year . 

View solution in original post

Highlighted
L2 Linker

Thanks, for me using the migration tool, is like an overhead but Export/Import seems an easy way for this migration. I was confused by the TAC guys really. Also, I have never done any PaloAlto migration in the past, so I don't have such experience. 

 

But I think it's now clear to use export/import to complete the migration. 

 

How can I validate the configuration before the final commit? Also, can do I need to do a factory reset of the new 5220 devices to load the latest backup?. My plan is to load the old export/import config first to fix the errors first and then latest config backup after that to make the final day cutover. 

View solution in original post

Highlighted
Cyber Elite

About 2 years ago I mirgated a 5060 paid to a 5220 pair following the same suggested path as @BPry.  You can easily modify the XML export to account for the port changes.  Also take note that HA config ports are also going to be different, but other than that it really is a much simpler process than it feels like it should be.  

 

I also agree that the migration tool is more work than it's worth for this task.

View solution in original post

Highlighted
L2 Linker

Thanks a lot for sharing your experience. I'm getting more confident after going through the real-time experiences shared by you all on this thread :).

 

Yes, I think I can change the HA ports once I import the device state backup?

 

Also, you can easily modify the XML export to account for the port changes??- How I can modify the XML export for the ports if you can please help me with this. 

 

thanks a lot for your help!!

Highlighted
L2 Linker

Thanks a lot for sharing your experience. I'm getting more confident after going through the real-time experiences shared by you all on this thread :).

 

Yes, I think I can change the HA ports once I import the device state backup?

 

Also, you can easily modify the XML export to account for the port changes??- How I can modify the XML export for the ports if you can please help me with this. 

 

thanks a lot for your help!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!