Greetings all, My organization is looking to upgrade from an Active/Active 5060 deployment to an Active/Standby 5200 series deployment. I have Expedition installed although I'm not perficient at it yet (side note: If anyone knows of and can pass along any tutorials on using it to capture data and create migration rulesets to move ip/port rules over to app rules I'd really appreciate) and we've also got Panorama. We're still a few months out and haven't purchased the units yet but I wanted to get a jump on things and start trying to figure out what the process would look like. In Panorama, most of my address, address groups, and tags are in the Shared space so adding the additional firewalls to this should just sync that stuff over. My security policy and NAT rules are currently all set up as Pre-Rules (seems like I learned later this wasn't necessarily ideal... gota go back and read up) but are in a sub-device group since I thought there was a likelyhood of adding additional smaller firewalls in different locations. I'm looking for any feedback or advice on the move for this. I want to minimize downtime, of course, and I figured I would probably need to upgrade Panorama and our current firewalls to an 8.1 release before starting. I've never configured firewalls from scratch in Panorama before so I figured the initial process would look something like this: Basic setup on each of the new firewalls including IP addressing and hostnames Configure A/S HA Start the import process into Panorama Create security zones, interfaces, virtual routers Copy configs from old firewall for zones, interfaces, and virtual routers keeping in mind changes for the new system Start moving over security policy and NAT There will of course be some additional steps like subscription installation and activation, etc but these are the basics I've thought of so far. For actual installation, my thought was to take one of our current A/A units offline and unrack it, put one of the new ones in its place, and then do a some sort of swap over to see if the new system is stable before we unrack the second unit and move forward. Am I on the right track here? Anything else I need to consider? Thanks!
... View more