05-16-2022 10:23 AM
HI,,
we have plan to migrate PA 5020 to PA 5220 with 40G, Please anyone let me to best practices with less downtime migration. herewith mentioned that how current our environment setup has.
1. currently we have 3 PA Integrated with Panorama ,
2. 5020 has 6 vsys
3.in that one of template (polices alone not NAT) share to 3 different PA (One at DC, Second one at DR and third one at azure cloud)
4.at DR PA has 3 vsys
06-09-2022 11:11 PM
Thank you for the post @LRajangam
Without knowing details of your environment, my input might not be that valuable, however personally I would proceed with below steps for migration.
1.) Perform hardware installation of PA-5220 including all the SFP modules. Perform initial configuration to bring management interface online and install all the licenses, PAN-OS upgrades, Application/Threat packages.
2.) Since your PA-5220 is replacing existing Firewall, I assume it is going to be using identical configuration. In this case, I would place the new PA-5220 into the same Template Stack as the existing PA-5020. Depending on your Device Group hierarchy, I would do the same to place PA-5220 into the same Device Group. As a next step, I would push the configuration from Panorama to PA-5220, then if there is no issue I would plan actual cut over.
3.) Before actual migration, I would pre-prepared all the cables and SFP modules. During the time of cut over, I would move cables one by one from old Firewall to new one. For the migration to new 40G connection, I would unplug cable from old Firewall and plug new 40G SFP connection to new Firewall. If there is no IP address change, then unless there is a physical connection issue / SFP issue or Fiber TX/RX swap, all should start to work with traffic being forwarded again. If traffic is not passing through even though all connections are up, I would check ARP table of switches on each side of the Firewall. In the case it is still pointing to MAC address of old Firewall, I would delete that entry and new ARP entry will be mapped to correct MAC address.
Alternative way, would be to cable all the ports on PA-5220, but keep ports shut down on switch side to prevent IP address duplication. On the day of cut over just shut down ports on the switch facing old Firewall and un-shut ports facing new Firewall. This might be quicker than manually moving cables across.
Regarding 3 points you mentioned, although I do not know details of vsys in DC and DR Firewalls, I do not think that this would make significant difference with the migration plan.
Myself, I went through similar migration a few years ago from PA-5060 to PA-5260 in high pressure environment where only minimum downtime was allowed. Both old and new Firewalls were in HA (Active/Standby pair). I do not exactly recall sequence of all the steps we have done, but in nutshell we have pre-prepared all the configuration between old and new Firewall on one to one bases. We have pre-cabled everything, but kept ports shut down. On the day of cut over we shut down ports facing old switch and un-shut ports facing new switch. Since we had an HA pair, we had luxury to have more control which Firewall will forward traffic. The only issue we came across, the new Firewall did not send GARP which required manual intervention.
At the beginning of your post, you mentioned about best practices. I would not call my write up a best practice, but rather experience sharing 🙂
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
