About birkhojk

Hi @birkhojk , Yes, it should work. As you can see from the following link - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/ospf/configure-ospf-graceful-restart First option is to allow PAN FW to send grace SLA when needs to restart. Second option is to allow PAN FW to receive grace SLA and wait for the grace period before recalculating the routing table.   Another useful KB (although it is about HA setup, but still good explanation about OSPF grace restart) - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEECA0   About your second question - according to the link you provide Graceful Restart is enabled by default on Cisco router I believe your show command confirms that both are currently enabled.   From the Cisco link and from this KB - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boPzCAI It seems both vendors are using default grace period of 120sec. As long as this period is fine with you, the only think you need to do is to enable graceful restart on the PAN FW   ... View more

I think I actually have it configured correctly only need to test it at this point. ... View more

I recently had to do something very similar and documented my procedure.  First I tried it in Expedition which is what the tool was designed for but it just wouldn't work for me.  I moved my subinterfaces from one ae to another this way: ## set panorama to display output in "set" commands, set panorama to "no-more" output admin@firewall(primary-active)> set cli config-output-format set admin@firewall(primary-active)> set cli pager off admin@firewall(primary-active)> configure Entering configuration mode [edit] ## from panorama, show the configuration matching the interface being migrated admin@firewall(primary-active)# show | match ae2.117 **set template TEMPLATE config vsys vsys1 zone ZONE network layer3 ae2.117 **set template TEMPLATE config vsys vsys1 import network interface [ ae2 ae2.900 ae2.901 ae2.902 ae2.903 loopback.1 vlan loopback tunnel ae2.3600 ae2.3106 ae2.1505 ae2.1503 ae2.1502 ae2.1500 ae2.303 ae2.115 ae2.432 ae2.117 ae2.668 ae2.3005 ae2.4011 ae2.116 ae2.762 ae2.1621 ae2.2005 ae2.2040 ae2.700 sdwan ae3 ae3.411 ] **set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 ipv6 neighbor-discovery router-advertisement enable no set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 ndp-proxy enabled no set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 adjust-tcp-mss enable no set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 ip 10.x.x.x/29 set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 interface-management-profile ping-only set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 tag 117 set template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 comment ZONE set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp auth-profile BGP_AUTH secret xxxxxxx set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp auth-profile BGP_AUTH secret xxxxxxx set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer ZONE connection-options authentication spn-FW-ae2_117 **set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer ZONE local-address interface ae2.117 set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer ZONE connection-options authentication spn-FW2-ae2_117 **set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer ZONE local-address interface ae2.117 **set template TEMPLATE config network virtual-router DEFAULT-VR interface [ ae2 ae2.115 ae2.116 ae2.117 ae2.303 ae2.432 ae2.668 ae2.700 ae2.762 ae2.900 ae2.901 ae2.902 ae2.903 ae2.1500 ae2.1502 ae2.1503 ae2.1505 ae2.1621 ae2.2005 ae2.2040 ae2.3005 ae2.3106 ae2.3600 ae2.4011 loopback.1 ae3.411 ] [edit] ## the only configuration we need to remove have been marked with ** at the beginning of the line ## remove the sub-interfaces from the BGP peer-group by temporarily replacing them with loopbacks (this will preserve the bgp-peer config while allowing us to delete the sub-interface) set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1 local-address interface loopback.1 set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2 local-address interface loopback.1 ## delete the sub-interface from the VR delete template TEMPLATE config network virtual-router DEFAULT-VR interface ae2.117 ## delete the sub-interface from the zone delete template TEMPLATE config vsys vsys1 zone ZONE network layer3 ae2.117 ## delete the sub-interface from the vsys delete template TEMPLATE config vsys vsys1 import network interface ae2.117 ## delete the sub-interface from the old AE delete template TEMPLATE config network interface aggregate-ethernet ae2 layer3 units ae2.117 ------------- ## create the new sub-interface on new AE set template TEMPLATE config network interface aggregate-ethernet ae3 layer3 units ae3.117 tag 117 set template TEMPLATE config network interface aggregate-ethernet ae3 layer3 units ae3.117 comment ZONE set template TEMPLATE config network interface aggregate-ethernet ae3 layer3 units ae3.117 ip 10.x.x.x/29 set template TEMPLATE config network interface aggregate-ethernet ae3 layer3 units ae3.117 interface-management-profile ping-only ## import the new interface to the correct vsys set template TEMPLATE config vsys vsys1 import network interface ae3.117 ## add the new interface to the zone set template TEMPLATE config vsys vsys1 zone ZONE network layer3 ae3.117 ## add the new interface to the VR set template TEMPLATE config network virtual-router DEFAULT-VR interface ae3.117 ## add the new subinterface to the BGP peer-group (replacing the loopback placeholder) set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1_ZONE local-address interface ae3.117 set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2_ZONE local-address interface ae3.117 ## add the peer AS back to the peer-group set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1_ZONE peer-as 64892 set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2_ZONE peer-as 64892 ## add the IP's back to the peer-group set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1_ZONE local-address ip 10.x.x.x/29 set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW1_ZONE peer-address ip 10.x.x.x set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2_ZONE local-address ip 10.x.x.x/29 set template TEMPLATE config network virtual-router DEFAULT-VR protocol bgp peer-group ZONE peer FW2_ZONE peer-address ip 10.x.x.x ## all of the other configuration (Policies, additional BGP config, will not be changed)           ... View more

Hello, No stupid questions here. You are correct where it should not disrupt the untagged traffic. Check out these articles.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFNCA0   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClheCAC   Cheers! ... View more

@birkhojk, Unless you need the feature set of 9.0 I would absolutely not recommend it be utilized in a production environment at this time. I currently work with a customer utilizing 5280s at their edge and we've been running into a latency issue with 9.0.2, and there are plenty of open issues with 9.0 at this time.  ... View more