Transfer Configuration from PA-3020 to PA-850 Without Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Transfer Configuration from PA-3020 to PA-850 Without Panorama

L1 Bithead

Has anyone cloned configuration from a PA-3020 HA pair in active/passive mode to PA-850's that aren't managed by Panorama? Maybe not those specific model numbers even? I'm not familiar with Panorama, and have searched here, and online but all I find is when devices are managed, so I'm wondering if doing this manually would have a different outcome than through Panorama.

 

This is a hardware refresh, and the change is straight apples to apples as far as physical network infrastructure goes. The devices will be swapped out, and wired exactly the same when redeployed, so my plan is to install the same version of PAN-OS (9.1) on all of them, and export a config image from each, and restore it on the new PA-850's. In theory I believe this will work, but I'm not sure of any "gotchas" that might arise due to possible differences in the hardware. I'm also uncertain if there even are any differences between models that would affect the config, and if there were, if Panorama would recognize those, and address them behind the scenes, so doing this manually would miss them.

 

Maybe I'm just overthinking this, but I'm a bit trepidatious, and open to any best practice recommendations, and appreciate all input.

 

Thanks!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

You should be able to export the old config and import it into another model. I would make sure they are on the same code version. Also there could be issues with interfaces, so double check what is currently used and see whats available on the new model. Also HA configs are probably using different interfaces. 

Regards,

View solution in original post

5 REPLIES 5

L5 Sessionator

Panorama is a great way to do this. You can get an eval of it from your account team for a month to accomplish this

 

You could also ask them for a vm NGFW. So if you bought new 850s running 10.0 for example, and the 3ks are running 8.1, get the vm running 8.1 and import the config, and then upgrade the vm to 10.0, then move the config there. 

 

That way you don't have to worry about affecting prod, you can just use a surrogate device. But yes, the interface mismatch will probably be the only area of concern when migrating platforms. And I believe automated correlation engine is available in 3k but not 800 so any configuration there might need to get wiped

Help the community! Add tags and mark solutions please.

Cyber Elite
Cyber Elite

Hello,

You should be able to export the old config and import it into another model. I would make sure they are on the same code version. Also there could be issues with interfaces, so double check what is currently used and see whats available on the new model. Also HA configs are probably using different interfaces. 

Regards,

Thanks Slick. I must say that's a slick idea. The supply chain issue has put me way behind schedule (took over 3 months to get my devices), so I'm not sure I have time to wait for the trial, or learn something new, but this is a great idea if I only had a little more time.

Thanks OtakarKlier! I haven't booted up the 850's, but I suspect they are loaded with the latest OS version. If they are, I plan to register the 850's first, and then download the same OS version as the 3020. I agree on interfaces, but that shouldn't be too painful to work through if they are,

Cyber Elite
Cyber Elite

Hello,

The 3020's cant go above 9.1 unfortunately. 

Regards,

  • 1 accepted solution
  • 2793 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!