05-18-2018 12:13 AM - edited 05-18-2018 12:14 AM
Lately a few customers are planning an upgrade from 3000 to the new 3200 and 5200. Often they run 7.1.x and the new platforms only support 8.1.x. Normally these are high sensitive environments and the request is to shift the existing configuration with as little change as possible to reduce impact and upgrading the old firewalls before the upgrade is not an option.
My first thought was using the Migration Tool. However looks like the tools has not been updated much lately, I guess because the effort is on Expedition and I am worried about incompatibilities between the Migration Tool and PanOS 8.1 and the 3200 and 5200 platforms.
Another other option would be taking the old config file and loading it full or partial, but there could be some incompatibilities between PanOS 7.1 and 8.1.
Can you please share any experience and ideas on doing the migrations?
05-21-2018 04:10 AM
05-18-2018 06:50 AM
05-18-2018 06:53 AM
I am looking for migrating the platform without using Panorama.
05-18-2018 07:38 AM
Then you probably have to migrate this config manually and hope for the best 😛
I have done something like that only with panorama so I have no real experience with your situation.
Things like the policy and opjects aren't that different in the config-xml, the same with network configuration. In the deviceconfig (and also in the other parts) there are new things to configure but in general it will also work without having them configured. As it will be a try&error process anyway with a migration from 7.1 to 8.1, the easyiest way is to export and import the config and check for errors when you try to commit.
05-21-2018 12:31 AM
Thanks for that. I was hoping if someone can help with better advise than "hope for the best". The load config and clearing erros method would work on small config, but can be difficult in large deployements and it is not very reassuring for a large customer.
05-21-2018 01:48 AM
Hi @BatD
Here are some other methods (until someone writes in the community who already solved your problem):
All in all the try&error methof probably isn't that bad. Of course this needs some time, but as the new hardware should already be there ... and after the first one, you probably know what to check and the remaining ones will be easier...
05-21-2018 03:50 AM
How confortable are you working on the actual XML configuration file, because to the best of my knowledge this is going to be a manual conversion if you can't get them to upgrade there box. The manual process is relatively seemless if you understand how the XML config is actually put together and have a rough understanding of how it gets parsed.
I would recommend doing as much of the migration manually and doing as much verification as possible. Then when it comes to actually migrating traffic over to the new box scheduling a larger maintenance window. If the firewall is in an HA pair, then you can easily do this without risking too much, as you always have the option of simply failing back to the old firewall if needed until you can fine-tune the configuration.
Really though the manual process and a good review period should prevent any issues for something like this.
05-21-2018 04:04 AM
I am fairly comfortable working with XML, however how do you know what to change in 7.1 XML to convert it to 8.1?
05-21-2018 04:10 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
