05-06-2016 10:57 AM - edited 05-06-2016 11:07 AM
Is it possible to restore a backup configuration from say a PA5000 series to a PA3000 series? I know there are obviously interface differences between the platforms, and I couldn't find any recent documentation explaining if this is possible.
Thank you.
05-06-2016 11:08 AM
Yes, it is possible to move configurations between different models of firewalls. There are some cases, where there will be differences in the configs that must be modified first, such as Interface #s, HA ports, etc,.
There will be some other considerations when taking a config from one platform to a smaller one. The higher-end devices support more objects, zones, policies, routes, tunnels, etc. As long as you're not exceeding the capacity of the smaller device, you should be good.
If you run into any problems, you can edit the .xml config from the larger device, resolve the issue, save the new config, and then import into smaller one.
Good luck!
05-06-2016 11:10 AM
In that case, do we need to manually edit the XML file to remove things such as interfaces that don't exist? Are there other areas that would need to be edited as well?
I don't anticipate an issues with the number of objects, zones, policies, etc.
05-06-2016 01:46 PM
You'll import the config and then commit. If the commit fails, you'll get an error message pointing out what is wrong with the config. At that point you can edit the XML, re-import/commit and go from there.
05-06-2016 02:38 PM
I think you can do this a bit more easily with the migration tool as well - I haven't tried it myself, but its worth a shot.
- sometimes working w/ the XML can be a bit much. And in some cases you can corrupt the XML file. (FYI)
The migration tool can be found here, its a great tool:
https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582
05-08-2016 05:52 AM
I have done this type of migration by editing the XML as we had different models in the Lab and production in that environment.
The difference between the platforms will be the interface name assignments. The technique is the create a mapping document for yourself that shows the config current interface name and the destination device interface name.
You then use a basic text only editor (nothing that does any RTF formating at all) and do a global search and replace for the interface names.
You then import the modified config into the new device.
This gets tricker when you are doing partial loads as you then also need to be sure you don't have other overlapping names or objects to contend with. And in this case you upload the config and use the load partial commands on the cli to pull in the sections you want only.
12-09-2021 09:36 AM
Is the migration tool still available and able to migrate to a PA-460? The link above goes to a access denied page.
12-09-2021 03:36 PM
Hello,
Yes it is, just changed names. Its now called Expedition. I havent used it nor a 440, however PAN is good at keeping new technologies in the mix.
https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool
Cheers!
12-09-2021 05:42 PM
I think the issue is that the PA-400s can only run on 10.1 or newer code and the other PA is running 9.0 code. If that is not an issue I might try this for sure.
12-10-2021 12:11 PM
Hello,
Should be an issue. its just any new features in the newer OS wont be enabled or configured correctly. Its more of an issue if going backwards.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
