Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
09-16-2021 09:30 PM
Hello,
I tried to migrate Palo HA FW to Panorama mgmt as per below guideline link, but fail in step 5.5.
this is the step what I did;
09-21-2021 01:19 AM
Hello...
finallyy, it worked well by downgrading Panorama 10.1.0 to 10.0.7.
thank you.
09-19-2021 05:06 AM
Thank you for your post @zinkt101
Would it be possible to provide details of commit fail message? Typically there is description what prevented commit to succeed.
Thank you
Pavel
09-19-2021 05:22 AM
thank you for your response @PavelK
this is the fail error message on local FW
!
Operation
Commit
Status
Completed
Result
Failed
Details
Validation Error:
deviceconfig -> system -> update-schedule -> wildfire -> recurring -> every-15-mins -> sync-to-peer unexpected here
deviceconfig -> system -> update-schedule -> wildfire -> recurring -> every-15-mins is invalid
Commit failed
Warnings
!
After this error message, I tried by turning off sync-to-peer on all dynamic updates on both passive/active FW, then re-start migrating to Panorama again.
still show the above error message again.
thank you.
09-19-2021 01:52 PM
Thank you for reply @zinkt101
Before you start migration, could you set the download schedule of Wildfire to: "None" on both Firewalls, then start with migration over? If it succeed, then after migration you can change Wildfire scheduler from Panorama via Template.
Kind Regards
Pavel
09-20-2021 01:46 AM
hello..
after I tried with schedule of Wildfire to: "None" on both Firewall, still fail with this new error message.
Operation
Commit
Status
Completed
Result
Failed
Details
Validation Error:
import -> network -> logical-router unexpected here
import -> network is invalid
Commit failed
Warnings
09-21-2021 01:19 AM
Hello...
finallyy, it worked well by downgrading Panorama 10.1.0 to 10.0.7.
thank you.
09-21-2021 01:25 AM
Thank you for sharing @zinkt101
After your last post, I was running out of ideas. It is good that you could eventually solve it by downgrading.
09-21-2021 03:51 AM - edited 09-21-2021 03:52 AM
yeah. thank you @PavelK
I have another PA HA pair which is running version 8.1.xx to migrate, not sure it will be OK with this panorama version 10.0.7.
04-13-2022 03:08 PM - edited 04-13-2022 03:09 PM
Hi @zinkt101 , I had a similar issue recently when attempting to migrate a 3250 HA pair (10.0.8-h4) to Panorama 10.1.3. I was able to complete the push and commit however anything that uses a password or secret such as a IKE Gateway pre-shared key didn't work. The resultant outage was significant with over 100 IPSec VPN's configured so I quickly reverted the 3250's to their original device state.
I suspected someone had set a new Master Key however that wasn't the case. I then compared the encrypted values for passwords and pre-shared keys between firewalls and Panorama and they were indeed different. I know Panorama 10.1.3 doesn't support firewalls running 10.1.0 - 10.1.2 (Panorama Admin Guide) however I can't find official word that 10.0.X isn't supported either.
Downgrading isn't really an option as 10.0 becomes end of life in July this year so next step is trying the process again with an eval VM running 10.0.8-h4 loaded with very similar config to the 3250's and see if the same result occurs. Following on from that I will upgrade Panorama and the VM to 10.1.5-h1 to see if the issue is resolved.
I have another 15 x 440's on Satellite links to migrate so need to make sure the process is error free.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
