How to Upgrade Old Palo Alto Firewall to New Model

Migrating from an old Palo Alto firewall to a new one involves a few more considerations, especially if the models or PAN-OS versions differ. Here’s a comprehensive approach:

1. Preliminary Steps:

  • Document the current environment: This includes interface configurations, routing setups, NAT rules, security policies, VPNs, and any custom settings.
  • Ensure compatibility: If the new firewall is a different model or runs a different PAN-OS version, some configurations might not be directly compatible. It’s recommended to check Palo Alto’s official documentation or consult with their support about any model-specific considerations.

2. Backup and Export Configuration:

  • Export the configuration from the old Palo Alto firewall. Here suggest using “set” format so you can copy paste and fix the error along the way
  • Run the following command to view the configuration:
    • “set” format:    > set cli config-output-format set
  • Enter configure mode:  > configure
  • Enter show to see the complete configuration. You can also view certain components, such as “show network interface”.

3. Prepare the New Firewall:

  • Before importing, update the new firewall’s PAN-OS to match the version of the old firewall, especially if there’s a significant version difference. If not possible, be prepared to adjust configurations that might not be compatible.
  • Make sure the new firewall can access licenses, updates, and other services by configuring basic management and DNS settings.

4. Import Configuration to the New Firewall:

  • Follow the earlier steps to import the configuration to the new Palo Alto firewall.
  • Commit the changes to apply the configuration.

5. Post-Import Checks:

  • Interface Checks: Confirm that interfaces are up and receiving/transmitting traffic correctly.
  • Policy Checks: Ensure security, NAT, and policy-based forwarding rules are correctly applied.
  • VPN Checks: If VPNs are in use, ensure they are up and operational.
  • Log and Monitor: Check logs to ensure traffic is flowing as expected and there are no unexpected denies or errors.
  • Test Failover (if applicable): If the firewall is part of a High Availability (HA) pair, test failover to ensure both firewalls are working correctly.

6. Additional Recommendations:

  • If you’re changing models, you might need to adjust interface configurations, especially if there’s a difference in the number of interfaces or types of interfaces.
  • Features or settings available in one model may not be in another, so be aware of any model-specific features you’re using.
  • After migrating, it’s a good idea to have a maintenance window. This way, if issues arise, they can be addressed without significantly impacting users or services.
  • Consider utilizing Palo Alto’s Migration Tool. It’s designed to help customers migrate configurations from older devices and even other vendor devices to newer Palo Alto devices.

Lastly, always have a rollback plan. Whether that’s keeping the old firewall on standby or having a recent backup of the new firewall’s initial state, it’s good to be prepared.

Useful Links

Leave a Comment

Your email address will not be published. Required fields are marked *