This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Migrating Configuration from Panorama/PA-3220 (PAN-OS 9.1.6) to New Panorama/PA-1410 (PAN-OS 11.1.2-h3)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrating Configuration from Panorama/PA-3220 (PAN-OS 9.1.6) to New Panorama/PA-1410 (PAN-OS 11.1.2-h3)

Tutchapon
L1 Bithead

‎08-07-2024 09:05 AM

Hi all,

 

I'm planning to replace my existing Panorama VM and PA-3220 firewall (both running PAN-OS 9.1.6) with a new Panorama VM and PA-1410 (running PAN-OS 11.1.2-h3). My goal is to migrate the existing configuration to the new setup, primarily focusing on the PA-1410, and eventually decommission the PA-3220 without connecting it to the new Panorama VM.

 

My main concerns are:

 

  1. What's the best way to adapt the PA-3220's configuration for the PA-1410, considering they have different PAN-OS versions and potentially different hardware capabilities?
  2. Are there any specific guidelines or tools to help with the manual integration of the PA-3220's configuration into the new Panorama?
  3. What are some common pitfalls or challenges I might encounter during this migration process, and how can I mitigate them?

 

Any advice or insights would be greatly appreciated!

0 Likes Likes
1 REPLY 1

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎08-09-2024 06:59 AM

Hi @Tutchapon ,

 

You may want to explore the Expedition tool - https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

I have used used long long ago for migration from other FW vendors to Palo Alto, but it should also be able to assist you with migrating from one hardware to another. Please note the following EoL announcment - https://live.paloaltonetworks.com/t5/expedition-articles/important-update-end-of-life-announcement-f...

 

Does your PA-3220 config is entireply pushed from Panorama, or there is some local config?

My suggestion would be:

1. Export complete Panorama configuration (with device config)

2. Create new Panorama running the same OS version and import the backup. (Disconnect the PA-3220, so the new Panorama does not try to communicate with it. Although communication is always initiated from FW to Panorama)

3. Upgrade the new Panorama to the target version following upgrade path to ensure config is migrated properly

4. Attach the new 1410 to the new Panorama and assign the existing Device Group and Templates for old PA-3220. You probably will need to adjust the network interfaces, before pushing the config to the device.

  • 658 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks