Replace a PA-3060 with a PA-5220 keeping configuration the same

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Replace a PA-3060 with a PA-5220 keeping configuration the same

L0 Member

Hi

 

We are  replacing a  3060  with a  5220 , I do understand that Tech Support dosen't recommend to move configuration file

between two different  models.

Are there any items that can be transferred , and not have to recreate all of it ?

 

Thanks 

2 accepted solutions

Accepted Solutions

L6 Presenter

Hi,

 

I believe you still can do it (it never hurts  to try 😄 )

 

Make sure:

 

1) Both units are on the same PAN-OS release before exporting the existing config from the 3060 device

2) Both units have the same licences 

3) If interfaces name/mapping are different you might need to modify .xml file manually, save it and import it into the new 5020 unit.

4) Validate config before commit with "Validate Commit" option.

valid.JPG

 

If there are any errors, export candidate config in .xml file from 5020 unit and modify it again. Repeat the process until you can successfully validate the config then do a "commit"

 

I have done this before (between other mdels), so it should work for you too

View solution in original post

L7 Applicator

I've done this recently.  The two areas you'll likely run into problems:  1.) High Availability configuration.  The 5220 uses the HSCI port for HA2/HA3 traffic, where the 3060 used dedicated HA2 interfaces for session-sync, and dataplane interfaces for HA3 traffic.  

 

Also, the 5220 requires one of the dataplane ports to be configured as a "Log Interface" for external log forwarding.  

 

Other than that, most of the other things seemed to transfer over just fine.  

 

I took a slightly different approach, I took a 5220 "empty" configuration as a base configuration, and then cut things out of the older firewall's .xml config file and pasted it into the 5200's config file.  It wasn't too much work... Didn't have to touch firewall objects, or policies, etc.  Those were exactly the same.  

View solution in original post

6 REPLIES 6

L6 Presenter

Hi,

 

I believe you still can do it (it never hurts  to try 😄 )

 

Make sure:

 

1) Both units are on the same PAN-OS release before exporting the existing config from the 3060 device

2) Both units have the same licences 

3) If interfaces name/mapping are different you might need to modify .xml file manually, save it and import it into the new 5020 unit.

4) Validate config before commit with "Validate Commit" option.

valid.JPG

 

If there are any errors, export candidate config in .xml file from 5020 unit and modify it again. Repeat the process until you can successfully validate the config then do a "commit"

 

I have done this before (between other mdels), so it should work for you too

L7 Applicator

I've done this recently.  The two areas you'll likely run into problems:  1.) High Availability configuration.  The 5220 uses the HSCI port for HA2/HA3 traffic, where the 3060 used dedicated HA2 interfaces for session-sync, and dataplane interfaces for HA3 traffic.  

 

Also, the 5220 requires one of the dataplane ports to be configured as a "Log Interface" for external log forwarding.  

 

Other than that, most of the other things seemed to transfer over just fine.  

 

I took a slightly different approach, I took a 5220 "empty" configuration as a base configuration, and then cut things out of the older firewall's .xml config file and pasted it into the 5200's config file.  It wasn't too much work... Didn't have to touch firewall objects, or policies, etc.  Those were exactly the same.  

Can someone confirm that 5220 requires HSCI port for data link between both firewalls in Active/Passive configuration. I am trying to configure using the HA2 port but I do not even have option other than HSCI.

 

If you want to use the management plane for HA2, then yes, you have to use HSCI.

The other possibility is that you use a dataplane port and configure it as Type HA. As soon as you do that you could choose that port in the HA configuration.

Hi, when you said: " 5220 requires one of the dataplane ports to be configured as a "Log Interface" - is this a requirement or option? I could not find anything in the 5220 documentation. I am planning 5220 and this will be big difference. Can the log forwarding be done over the Management interface?

@BatD,

Log Forwarding by default is done by the management interface. The PA-5220 can forward logs via a different interface by configuring a Service Route. I believe that that part of the answer isn't correct, you don't need any special 'Log Interface' unless you are using a 7000 series chassis. 

  • 2 accepted solutions
  • 4060 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!