Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Reply
Highlighted
L2 Linker

Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Hi,

 

I would like to migrate one PA 4020 EOL device which is on PAN-OS 7.1.8 and I got one new PA 3250 with 8.1.13 PAN-OS. Can someone please suggest how I can do this migration?

 

I appreciate your time and help. 

Highlighted
L2 Linker

Re: Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Hi Team,

 

Please help!!

Highlighted
Cyber Elite

Re: Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Hello,

Its best if both PAN's are on the same version. That way you can just copy the config over using export xml. Or if the config is a mess, you can start over with a new config from scratch.

 

Regards,

Highlighted
L2 Linker

Re: Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Thank you. Can I try to load the config on new PA-3250 if that can take the config from 7.1.6.8?

Highlighted
Cyber Elite

Re: Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

@JyotiPrakash,

You could try but even if you can get it to load it wouldn't pass validation properly and you'll need to correct all of the errors. In a situation like this I would take the chance to go through the config and just rebuild it, migrating over objects so you don't have to go through and rebuild them. 

Highlighted
L2 Linker

Re: Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Thank you so much for your help. I will give it a try to load and fix all the error that may occur during the validation. I hope once the commit is successful that may work in production as well?

 

 

Highlighted
L2 Linker

Re: Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Hi,

I did a config Export from my production PA4020 and load it on PA3250 and got an error for only HA interfaces. I have fixed the HA interface error and commit and it went well. So can I go-ahead to replace the firewall now or will that be any problem?

Highlighted
Cyber Elite

Re: Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Hello,

I would say yes. Obviously do it during a maintenance window and replace one at a time. Perhaps do a side by side comparison of hte two device configs just to make sure the policies and configs are same/similar.

 

Regards,

Highlighted
L2 Linker

Re: Paloalto PAN OS7.1.6 to PA 3250 8.1.13 migration

Thank you so much for the help and support from all of of you. This old 4020 has only Firewall, NAT and OSPF routing config and has been successfully loaded to PA3250 without any error. I have validated the policy, objects, NAT etc and everything just match with existing PA4020. 

 

Kindly let me know if there is anything I need to check before I plan this migration. Also, I have my new PA3250 on PANOS 8.1.3h as per TAC recommended version. 

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!