We have been running SD-WAN since release a year or so ago, regular PAN-OS SD-WAN not Prisma SD-WAN. All the sites were deployed with PA-220 at the time, but we are rolling more sites in and I need to swap a couple of the PA-220s with a PA-440.
Anyone done a hardware replacement of an SD-WAN device, that is being repurposed? I followed along the migration guide, and I am afraid that the SD-WAN connection will break as soon as I commit. Most of the settings are tied to the device in Panorama, and I am not confident that just loading an export will be enough, as behind the scenes the config is probably tied to the serial number. I can think of a couple ways but they all seem more painful and error prone than they should be.
Export the device state from the PA-220 and import and load through the CLI to the PA-400 series, that will have the merged configuration from Panorama. Make sure Panorama is running 10.1.x if adding in a PA-440. Connect the PA-440 to Panorama (point towards and add in auth key). Remove the PA-220 from the templates and device groups, and check the box for the PA-400 series.
If mission critical network I would look for a maintenance window.
Import device state (firewall only)
Import the device state information that was exported using the Export device state option. This includes the current running config, Panorama templates, and shared policies. If the device is a Global Protect Portal, the export includes the Certificate Authority (CA) information and the list of satellite devices and their authentication information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!