Thank you for reply @sanjay.ramaiah
below answer is the best I can come up with considering limited knowledge of your environment.
For the migration of the local device configuration, probably the easiest way are below steps:
1.)
Perform initial configuration of PA-460. Below links might be useful:
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/getting-started/integrate-the-firewall-into-your-management-network/perform-initial-configuration
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK
By following config from above links, you will be able to SSH/GUI to new Firewall. From here you can move to actual configuration migration.
2.)
SSH to PA-3020 and issue below commands. Ideally set logging session to text file. > set cli config-output-format set > set cli pager off > configure # show
then SSH to PA-460 and issue:
> set cli scripting-mode on
> configure
then paste the configuration you got from PA-3020. You can paste commands in bulk, but watch out for any errors. Ideally instead of blindly copy & paste all configuration, paste only what is relevant and want to move across to PA-460.
Since you will be going from PAN-OS 8.1 to 10.X there are some syntax differences that might require you to configure some of the part of the configuration from scratch. Personally, I would take an opportunity to move as much configuration as possible to Panorama and push it from there. By having configuration In Template / Device Group, you can in the future easily re-use / standardize configuration. I feel this is a better way to do it.
Regarding Panorama part, please check below steps.
1.)
Before you can onboard PA-460 to Panorama, you will have to make sure that Panorama runs the higher or the same PAN-OS version as managed Firewall. In your case, you are running PAN-OS 10.0.11 which is already end of life. PA-460 will be shipped either with 10.1.X or with 10.2.X, so Panorama upgrade is necessary.
2.)
After you complete Panorama upgrade, you can register Firewall in Panorama. You can follow this link: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-managed-device
3.)
Personally, I would clone current Template/Template Stack of existing PA-3020 and made necessary modifications. Since PA-460 seems to have the same function, I would place it to the same Device Group. After these settings are in place, I would push this to PA-460. If there is no error, I would plan for cut over.
4.)
Personally, on the day of cut over, I would announce maintenance window and move cable across from PA-3020 to PA-460. You did not mention whether you have HA pairs, if yes, I would plan cut over differently with less downtime. Since device is already per-configured either locally or from Panorama, the migration day should be only about cabling and troubleshooting.
It is likely that during preparation for this migration you will come across all sorts of issues or errors. You can share it here, if I know the solution I will follow up with it.
Kind Regards
Pavel
... View more