Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-19-2019 05:19 AM
HI,
I would like to migrate one old PA 5020 cluster version 7.1.16 to PA 5220 cluster version 8.1.8. I would appreciate if someone can help me with the process to follow for this migration. As this is my first PaloAlto firewall migration project and I don't have a document to follow.
Thanks
JP
07-20-2019 06:19 PM
So this migration is actually going to be really straight-forward. You just need to bring your 5020s up to 8.1.8.
1) Ensure firewalls are on the same verison
2) Export the configuration of both peers
3) Import configurations from the 5020 to the 5220s
4) Load configuration to the new PA-5220s
5) Verify configuration and correct any issues.
6) Commit.
07-22-2019 05:21 AM
The migration tool would allow you to correct the validation issues before moving the configuration onto the 5220.
The differences between the 5220 and the 5020 aren't large enough to give you any issues with importing and loading the configuration. You will have validation issues that you'll need to correct when the configuration is loaded, but once corrected the configuration will commit perfectly fin .
You can use either method, but I personally find the migration tool annoying to actually get setup and work with if this is something you'll only do every 5 year .
07-22-2019 05:28 AM
Thanks, for me using the migration tool, is like an overhead but Export/Import seems an easy way for this migration. I was confused by the TAC guys really. Also, I have never done any PaloAlto migration in the past, so I don't have such experience.
But I think it's now clear to use export/import to complete the migration.
How can I validate the configuration before the final commit? Also, can do I need to do a factory reset of the new 5220 devices to load the latest backup?. My plan is to load the old export/import config first to fix the errors first and then latest config backup after that to make the final day cutover.
07-22-2019 11:11 AM
About 2 years ago I mirgated a 5060 paid to a 5220 pair following the same suggested path as @BPry. You can easily modify the XML export to account for the port changes. Also take note that HA config ports are also going to be different, but other than that it really is a much simpler process than it feels like it should be.
I also agree that the migration tool is more work than it's worth for this task.
07-20-2019 06:19 PM
So this migration is actually going to be really straight-forward. You just need to bring your 5020s up to 8.1.8.
1) Ensure firewalls are on the same verison
2) Export the configuration of both peers
3) Import configurations from the 5020 to the 5220s
4) Load configuration to the new PA-5220s
5) Verify configuration and correct any issues.
6) Commit.
07-22-2019 04:57 AM
Thank you so much for your help in this. I had a case with PaloAlto TAC and they suggested to use their migration tool as the Export/Import will not work due to different hardware specification. I'm not sure if I need to use their migration tool or Export/Import back to restore on the new 5220 clusters. Also, TAC informed that 5220 has different Interfaces and HA ports which has also a major difference.
Could you please help me with this confusion.
07-22-2019 05:21 AM
The migration tool would allow you to correct the validation issues before moving the configuration onto the 5220.
The differences between the 5220 and the 5020 aren't large enough to give you any issues with importing and loading the configuration. You will have validation issues that you'll need to correct when the configuration is loaded, but once corrected the configuration will commit perfectly fin .
You can use either method, but I personally find the migration tool annoying to actually get setup and work with if this is something you'll only do every 5 year .
07-22-2019 05:28 AM
Thanks, for me using the migration tool, is like an overhead but Export/Import seems an easy way for this migration. I was confused by the TAC guys really. Also, I have never done any PaloAlto migration in the past, so I don't have such experience.
But I think it's now clear to use export/import to complete the migration.
How can I validate the configuration before the final commit? Also, can do I need to do a factory reset of the new 5220 devices to load the latest backup?. My plan is to load the old export/import config first to fix the errors first and then latest config backup after that to make the final day cutover.
07-22-2019 11:11 AM
About 2 years ago I mirgated a 5060 paid to a 5220 pair following the same suggested path as @BPry. You can easily modify the XML export to account for the port changes. Also take note that HA config ports are also going to be different, but other than that it really is a much simpler process than it feels like it should be.
I also agree that the migration tool is more work than it's worth for this task.
07-22-2019 11:19 AM
Thanks a lot for sharing your experience. I'm getting more confident after going through the real-time experiences shared by you all on this thread :).
Yes, I think I can change the HA ports once I import the device state backup?
Also, you can easily modify the XML export to account for the port changes??- How I can modify the XML export for the ports if you can please help me with this.
thanks a lot for your help!!
07-23-2019 08:04 AM
Thanks a lot for sharing your experience. I'm getting more confident after going through the real-time experiences shared by you all on this thread :).
Yes, I think I can change the HA ports once I import the device state backup?
Also, you can easily modify the XML export to account for the port changes??- How I can modify the XML export for the ports if you can please help me with this.
thanks a lot for your help!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
