02-04-2022 11:08 AM
Has anyone cloned configuration from a PA-3020 HA pair in active/passive mode to PA-850's that aren't managed by Panorama? Maybe not those specific model numbers even? I'm not familiar with Panorama, and have searched here, and online but all I find is when devices are managed, so I'm wondering if doing this manually would have a different outcome than through Panorama.
This is a hardware refresh, and the change is straight apples to apples as far as physical network infrastructure goes. The devices will be swapped out, and wired exactly the same when redeployed, so my plan is to install the same version of PAN-OS (9.1) on all of them, and export a config image from each, and restore it on the new PA-850's. In theory I believe this will work, but I'm not sure of any "gotchas" that might arise due to possible differences in the hardware. I'm also uncertain if there even are any differences between models that would affect the config, and if there were, if Panorama would recognize those, and address them behind the scenes, so doing this manually would miss them.
Maybe I'm just overthinking this, but I'm a bit trepidatious, and open to any best practice recommendations, and appreciate all input.
Thanks!
02-04-2022 02:52 PM
Hello,
You should be able to export the old config and import it into another model. I would make sure they are on the same code version. Also there could be issues with interfaces, so double check what is currently used and see whats available on the new model. Also HA configs are probably using different interfaces.
Regards,
02-04-2022 01:17 PM
Panorama is a great way to do this. You can get an eval of it from your account team for a month to accomplish this
You could also ask them for a vm NGFW. So if you bought new 850s running 10.0 for example, and the 3ks are running 8.1, get the vm running 8.1 and import the config, and then upgrade the vm to 10.0, then move the config there.
That way you don't have to worry about affecting prod, you can just use a surrogate device. But yes, the interface mismatch will probably be the only area of concern when migrating platforms. And I believe automated correlation engine is available in 3k but not 800 so any configuration there might need to get wiped
02-04-2022 02:52 PM
Hello,
You should be able to export the old config and import it into another model. I would make sure they are on the same code version. Also there could be issues with interfaces, so double check what is currently used and see whats available on the new model. Also HA configs are probably using different interfaces.
Regards,
02-04-2022 04:28 PM - edited 02-04-2022 04:44 PM
Thanks Slick. I must say that's a slick idea. The supply chain issue has put me way behind schedule (took over 3 months to get my devices), so I'm not sure I have time to wait for the trial, or learn something new, but this is a great idea if I only had a little more time.
02-04-2022 04:39 PM
Thanks OtakarKlier! I haven't booted up the 850's, but I suspect they are loaded with the latest OS version. If they are, I plan to register the 850's first, and then download the same OS version as the 3020. I agree on interfaces, but that shouldn't be too painful to work through if they are,
02-14-2022 02:57 PM
Hello,
The 3020's cant go above 9.1 unfortunately.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
