This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Replace a PA-3060 with a PA-5220 keeping configuration the same

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Replace a PA-3060 with a PA-5220 keeping configuration the same

Go to solution
kardasopoulos1
L0 Member

‎07-19-2017 01:54 PM

Hi

 

We are  replacing a  3060  with a  5220 , I do understand that Tech Support dosen't recommend to move configuration file

between two different  models.

Are there any items that can be transferred , and not have to recreate all of it ?

 

Thanks 

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
TranceforLife
L6 Presenter

‎07-19-2017 02:13 PM - edited ‎07-19-2017 02:40 PM

Hi,

 

I believe you still can do it (it never hurts  to try 😄 )

 

Make sure:

 

1) Both units are on the same PAN-OS release before exporting the existing config from the 3060 device

2) Both units have the same licences 

3) If interfaces name/mapping are different you might need to modify .xml file manually, save it and import it into the new 5020 unit.

4) Validate config before commit with "Validate Commit" option.

valid.JPG

 

If there are any errors, export candidate config in .xml file from 5020 unit and modify it again. Repeat the process until you can successfully validate the config then do a "commit"

 

I have done this before (between other mdels), so it should work for you too

View solution in original post

0 Likes Likes

Go to solution
jvalentine
L7 Applicator

‎07-19-2017 02:47 PM

I've done this recently.  The two areas you'll likely run into problems:  1.) High Availability configuration.  The 5220 uses the HSCI port for HA2/HA3 traffic, where the 3060 used dedicated HA2 interfaces for session-sync, and dataplane interfaces for HA3 traffic.  

 

Also, the 5220 requires one of the dataplane ports to be configured as a "Log Interface" for external log forwarding.  

 

Other than that, most of the other things seemed to transfer over just fine.  

 

I took a slightly different approach, I took a 5220 "empty" configuration as a base configuration, and then cut things out of the older firewall's .xml config file and pasted it into the 5200's config file.  It wasn't too much work... Didn't have to touch firewall objects, or policies, etc.  Those were exactly the same.  

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
TranceforLife
L6 Presenter

‎07-19-2017 02:13 PM - edited ‎07-19-2017 02:40 PM

Hi,

 

I believe you still can do it (it never hurts  to try 😄 )

 

Make sure:

 

1) Both units are on the same PAN-OS release before exporting the existing config from the 3060 device

2) Both units have the same licences 

3) If interfaces name/mapping are different you might need to modify .xml file manually, save it and import it into the new 5020 unit.

4) Validate config before commit with "Validate Commit" option.

valid.JPG

 

If there are any errors, export candidate config in .xml file from 5020 unit and modify it again. Repeat the process until you can successfully validate the config then do a "commit"

 

I have done this before (between other mdels), so it should work for you too

0 Likes Likes

Go to solution
jvalentine
L7 Applicator

‎07-19-2017 02:47 PM

I've done this recently.  The two areas you'll likely run into problems:  1.) High Availability configuration.  The 5220 uses the HSCI port for HA2/HA3 traffic, where the 3060 used dedicated HA2 interfaces for session-sync, and dataplane interfaces for HA3 traffic.  

 

Also, the 5220 requires one of the dataplane ports to be configured as a "Log Interface" for external log forwarding.  

 

Other than that, most of the other things seemed to transfer over just fine.  

 

I took a slightly different approach, I took a 5220 "empty" configuration as a base configuration, and then cut things out of the older firewall's .xml config file and pasted it into the 5200's config file.  It wasn't too much work... Didn't have to touch firewall objects, or policies, etc.  Those were exactly the same.  

0 Likes Likes

Go to solution
Inamul
L0 Member
In response to jvalentine

‎02-13-2018 12:23 PM

Can someone confirm that 5220 requires HSCI port for data link between both firewalls in Active/Passive configuration. I am trying to configure using the HA2 port but I do not even have option other than HSCI.

 

0 Likes Likes

Go to solution
Remo
L7 Applicator
In response to Inamul

‎02-13-2018 01:08 PM

If you want to use the management plane for HA2, then yes, you have to use HSCI.

The other possibility is that you use a dataplane port and configure it as Type HA. As soon as you do that you could choose that port in the HA configuration.

0 Likes Likes

Go to solution
BatD
L4 Transporter
In response to jvalentine

‎06-28-2018 01:42 AM

Hi, when you said: " 5220 requires one of the dataplane ports to be configured as a "Log Interface" - is this a requirement or option? I could not find anything in the 5220 documentation. I am planning 5220 and this will be big difference. Can the log forwarding be done over the Management interface?

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to BatD

‎06-28-2018 07:44 AM

@BatD,

Log Forwarding by default is done by the management interface. The PA-5220 can forward logs via a different interface by configuring a Service Route. I believe that that part of the answer isn't correct, you don't need any special 'Log Interface' unless you are using a 7000 series chassis. 

0 Likes Likes
  • 2 accepted solutions
  • 4532 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks