Replace firewall order

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Replace firewall order

L4 Transporter

I have a question about upgrading a firewall to new model.  I've done it in the past but always seem to forget the order.

 

I have a firewall that is managed by Panorama, with some local policies also.  I have downloaded the device state from the existing firewall.  I have also added the serial number of new firewall to Panorama but I have not configured the blank firewall with the Panorama IP address yet.

 

Do I have to connect the blank firewall to Panorama first, wait for it to show connected in Panorama, push to new firewall and then restore the device state to new firewall?  I feel like the order of operations may be wrong here

4 REPLIES 4

Cyber Elite
Cyber Elite

@ce1028,

You would pull the device state for the old firewall and then replace the device on Panorama and commit the change. On the firewall you are setting up you would import the device state that you grabbed and commit that configuration. Once that's done you just need to sync the firewall and Panorama. 

Thanks @BPry  , so the below is accurate?   Note: Old device will remain online until cutover of new device

 

1) export device state of existing firewall

2) add Panorama IP address on new firewall, commit

3) add new firewall serial to Panorama, add new device to proper device group/template, commit to panorama 

4) import device state on new firewall, commit

5) push from Panorama to new device

 

 

 

Cyber Elite
Cyber Elite

@ce1028,

No, you can remove step 2 from your list entirely. You don't need to attach the device to Panorama before replacing the old device SN with the new device SN and loading the device state on the new firewall. 

Thanks @BPry but if I replace the device serial, then the existing firewall will no longer be managed by Panorama.  The plan is always to pre-configure the new firewalls and then cutover a different day.   I typically would replace the serial number only on a faulty device

 

Guess I'm missing something here

  • 2270 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!