Migrating from an old Palo Alto firewall to a new one involves a few more considerations, especially if the models or PAN-OS versions differ. Here’s a comprehensive approach:
1. Preliminary Steps:
- Document the current environment: This includes interface configurations, routing setups, NAT rules, security policies, VPNs, and any custom settings.
- Ensure compatibility: If the new firewall is a different model or runs a different PAN-OS version, some configurations might not be directly compatible. It’s recommended to check Palo Alto’s official documentation or consult with their support about any model-specific considerations.
2. Backup and Export Configuration:
- Export the configuration from the old Palo Alto firewall. Here suggest using “set” format so you can copy paste and fix the error along the way
- Run the following command to view the configuration:
- “set” format: > set cli config-output-format set
- Enter configure mode: > configure
- Enter show to see the complete configuration. You can also view certain components, such as “show network interface”.
3. Prepare the New Firewall:
- Before importing, update the new firewall’s PAN-OS to match the version of the old firewall, especially if there’s a significant version difference. If not possible, be prepared to adjust configurations that might not be compatible.
- Make sure the new firewall can access licenses, updates, and other services by configuring basic management and DNS settings.
4. Import Configuration to the New Firewall:
- Follow the earlier steps to import the configuration to the new Palo Alto firewall.
- Commit the changes to apply the configuration.
5. Post-Import Checks:
- Interface Checks: Confirm that interfaces are up and receiving/transmitting traffic correctly.
- Policy Checks: Ensure security, NAT, and policy-based forwarding rules are correctly applied.
- VPN Checks: If VPNs are in use, ensure they are up and operational.
- Log and Monitor: Check logs to ensure traffic is flowing as expected and there are no unexpected denies or errors.
- Test Failover (if applicable): If the firewall is part of a High Availability (HA) pair, test failover to ensure both firewalls are working correctly.
6. Additional Recommendations:
- If you’re changing models, you might need to adjust interface configurations, especially if there’s a difference in the number of interfaces or types of interfaces.
- Features or settings available in one model may not be in another, so be aware of any model-specific features you’re using.
- After migrating, it’s a good idea to have a maintenance window. This way, if issues arise, they can be addressed without significantly impacting users or services.
- Consider utilizing Palo Alto’s Migration Tool. It’s designed to help customers migrate configurations from older devices and even other vendor devices to newer Palo Alto devices.
Lastly, always have a rollback plan. Whether that’s keeping the old firewall on standby or having a recent backup of the new firewall’s initial state, it’s good to be prepared.