14
Palo Alto Networks Firewall Migration Guide
Palo Alto NetworksFirewall Migration Guide
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact‐support
About this Guide
This guide helps ensure that you are aware of the various considerations associated with upgrading your Palo Alto Networks firewall to a newer, more powerful Palo Alto Networks firewall.
In addition to this guide, you should review release notes if you are upgrading your PAN‐OS software in conjunction with your hardware upgrade. If you are upgrading software, be sure to review release notes for each feature release between your existing configuration and the new version. For example, if you are upgrading from PAN‐OS 6.1 to PAN‐OS 8.0, you should review release notes for PAN‐OS 7.0, PAN‐OS 7.1, and PAN‐OS 8.0 before beginning your upgrade.
For additional information, refer to the following resources:
For information on the supported OS releases by model, refer to https://www.paloaltonetworks.com/documentation/global/compatibility‐matrix.
For information on the additional capabilities and for instructions on configuring the features on the firewall, refer to https://www.paloaltonetworks.com/documentation.
For access to the knowledge base and discussion forums, refer to https://live.paloaltonetworks.com.
For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
For capacity and performance information for all Palo Alto Networks firewalls, refer to https://www.paloaltonetworks.com/products/product‐selection.html.
To view the product spec sheets, refer to https://www.paloaltonetworks.com/resources/datasheets.html.
For information on End‐Of‐Sale firewalls and appliances, refer to https://www.paloaltonetworks.com/support/end‐of‐life‐announcements/end‐of‐sale.html.
To provide feedback on the documentation, please write to us at: [email protected].
Palo Alto Networks, Inc.www.paloaltonetworks.com© 2017–2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Revision Date: March 7, 2018
2 • Firewall Migration Guide © Palo Alto Networks, Inc.
Table of Contents
Firewall Migration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Firewall Migration Planning Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Migrate to New Firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
© Palo Alto Networks, Inc. Firewall Migration Guide • 3
Table of Contents
4 • Firewall Migration Guide © Palo Alto Networks, Inc.
Firewall Migration
The following topics guide you through the process of migrating your existing Palo Alto Networks® firewall to a new Palo Alto Networks firewall (such as from a PA‐200 firewall to a PA‐220 firewall or from a PA‐500 firewall to a PA‐800 Series firewall).
This procedure is not supported for migration to PA‐5200 Series firewalls.
You can use this procedure in an RMA situation where you are replacing a failed PA‐5200 firewall with the same model PA‐5200 firewall.
Firewall Migration Planning Checklist
Migrate to New Firewalls
Firewall Migration Planning Checklist
Use the following checklist to plan the migration:
Obtain licenses—Purchase a support license for the new firewall and have the authorization code ready. Also purchase the licenses and subscriptions necessary for activating the same features on the new firewall that are enabled on the old firewall and account for the following scenarios as needed:
– If the old firewall has virtual systems enabled, ensure that the new firewall can support the same number of virtual systems that are configured on the old firewall and, if applicable, purchase a virtual system license for the new firewall. This will ensure you can migrate the virtual systems from the old firewall to the new firewall.
– For firewalls in a high‐availability (HA) configuration, licenses are unique to each firewall and cannot be shared between the firewalls. Therefore, you must activate an identical set of licenses on each firewall.
Compare compatibility—Use the Product Selection tool to compare the old and new firewall to ensure the new firewall supports—at a minimum—the same functionality as the old firewall and use the Compatibility Matrix to view the supported OS releases by model.
Determine the target PAN‐OS release—Before you Migrate to New Firewalls, ensure that the old firewall is running the same PAN‐OS release and the same content release version as is installed on the new firewall. If the old firewall does not support the PAN‐OS release that is installed on the new firewall, you must ensure that the old firewall is no more than one feature release behind. For example, if the new firewall is running PAN‐OS 8.0, then the old firewall must be running or upgraded to a PAN‐OS 7.1 release before you migrate. If the old and new firewalls are not within one feature release, you cannot use the device state export and import process to migrate due to schema changes that occur from feature release to feature release.
Plan for a User‐ID migration—If User‐ID is configured on the old firewall, consider the following:
– If the old firewall uses Captive Portal to collect user‐to‐IP address mappings, ensure that the new firewall is registered with your DNS server as the Captive Portal host. This required only if you plan to change the IP address that is used as the web server redirect destination when Captive Portal is in redirect mode. By default, Captive Portal uses the management (MGT) interface for these services.
– If the firewall is configured as a User‐ID agent and you plan to use different IP addresses on the new firewall, ensure that the new firewall has a network path to all resources required by the agent, such
© Palo Alto Networks, Inc. Firewall Migration Guide • 5
Firewall Migration Planning Checklist Firewall Migration
as domain controllers, syslog servers, and other User‐ID agents. If the firewall is configured to contact User‐ID agents on domain servers, ensure that the firewall can connect to those servers.
Forward logs for retention—You cannot migrate logs from one firewall to another. Therefore, when planning the migration, ensure that the old firewall is forwarding any logs you need to retain to an appropriate external location. If you use Panorama to manage the firewall, logs forwarded to Panorama from the firewall are still available for query and reporting after migration until you remove the firewall from Panorama. Keep in mind that the old firewall will count toward your total number of managed devices so you should remove the old firewall at some point. Alternatively, you can export logs to CSV format.
Label management and Ethernet cables—Label all cables before you disconnect them so you can easily identify them when moving them from the old firewall to the new firewall. Alternatively, connect new cables to the new firewall.
Schedule a maintenance window—Schedule a maintenance window to allow time for you to move cables from the old firewall to the new firewall and to test the new firewall. Also notify other administrators about the upgrade so they do not inadvertently make changes to the old firewall during the migration. Otherwise, changes made after migration begins will not be migrated to the new firewall. You should also schedule time with your network administrator to assist with the migration.
Prevent IP address conflicts—Obtain a temporary IP address for the MGT interface on the new firewall if you plan to connect the old and new firewalls to the same management network during the migration. To prevent IP address conflicts on the Ethernet interfaces, do not connect the Ethernet cables to the new firewall until you are ready to move them over from the old firewall.
Take photos of the front and back of the old firewall and capture all cable connections before disconnecting any cables.
6 • Firewall Migration Guide © Palo Alto Networks, Inc.
Firewall Migration Migrate to New Firewalls
Migrate to New Firewalls
This procedure describes how to migrate a pair of Palo Alto Networks firewalls in a high‐availability (HA) active‐passive configuration to a new pair of Palo Alto Networks firewalls. You can also use this procedure to upgrade an active/active configuration by substituting active‐primary in place of active and active‐secondary in place of passive throughout these migration steps. In this procedure, you import the device states from the old firewalls to the new firewalls to reduce the number of manual configuration steps needed when migrating. There are some settings, such as multiple virtual systems (multi‐vsys) and jumbo frames, that you must manually configure as described in this procedure. There are also settings that are not synchronized in HA (as described in Reference: HA Synchronization).
To minimize downtime in your production environment, this procedure allows for keeping the old firewalls operational until you have configured and tested the new firewalls.
In the following procedure, the active firewall in the old HA pair is named Old‐FW‐A and the passive firewall is named Old‐FW‐B. On the new HA pair, the active firewall is named New‐FW‐C and the passive firewall is named New‐FW‐D.
Migrate to New Firewalls
Step 1 Rack‐mount and connect power to the new firewalls.
Follow the procedures in the hardware reference guide for the new firewall.
Step 2 Connect your management computer to the New‐FW‐C firewall.
1. Connect an RJ‐45 Ethernet cable from your management computer to the MGT port on the New‐FW‐C firewall.
2. Change the IP address on your computer to an address in the 192.168.1.0 network, such as 192.168.1.2.
3. Power on the firewall.
4. From a browser, go to https://192.168.1.1.
5. When prompted, log in using the default username and password (admin/admin).
We recommend that you have a serial console cable ready to connect to the Console port on the firewall and use terminal emulation software to access the command line interface (CLI). The terminal settings are 9600‐8‐N‐1. This will ensure that if you lose the web interface connection to the firewall, you can view or modify the configuration from the terminal.
Step 3 (FIPS‐CC mode only) If the old firewalls are in Common Criteria (CCEAL4) mode, enable this mode on the new firewalls.
1. Follow the procedure in Enable FIPS and Common Criteria Support.
2. After the firewall restarts in CCEAL4 mode, log in with the new default username and password (admin/paloalto) and continue to Step 4.
Step 4 Assign a temporary IP address to the management interface.
You will replace this IP address with the IP address configured on the management interface on the old firewall when you are ready to disconnect the old firewall.
1. Configure the MGT interface using the necessary settings required to enable you to manage the firewall over your management network and to enable the firewalls to communicate with the Palo Alto Networks update servers.
2. Commit the changes.
3. Connect the MGT port to a switch that is accessible from your management network.
© Palo Alto Networks, Inc. Firewall Migration Guide • 7
Migrate to New Firewalls Firewall Migration
Step 5 Connect your management computer to the second new firewall.
1. Repeat Step 2, Step 3, and Step 4 assigning a different temporary IP address to the management interface.
2. After you connect both of the new firewalls to your management network, change the IP address on your computer back to its original address.
3. Connect your management computer to your corporate network and verify that you can manage the new firewalls using the temporary management interface IP addresses you set on the new firewalls.
Step 6 Register and license the new firewalls. 1. Register the firewalls.
2. Activate Licenses and Subscriptions.
Step 7 Update the content release version on the old and new firewalls to the same version.
The minimum supported content release version is enforced by the PAN‐OS release. For details on what content release version is required, refer to the release notes for the version you are installing. For example, if you are installing PAN‐OS 8.1, refer to the PAN‐OS 8.0 Release Information.
Perform the following on the old and new firewalls:
1. Select Device > Dynamic Updates and click Check Now.
2. If new updates are available for Antivirus and Applications and Threats, Download them (Actions column).
3. Install each update.
Step 8 Determine the target PAN‐OS release and upgrade the old firewalls if necessary.
1. Log in to the web interface on each firewall (old HA pair and new HA pair) and select the Dashboard tab.
2. Take note of the Software version, Application Version, and Threat Version on the old and new firewalls (General Information).
3. Choose from the following options based on the PAN‐OS release versions running on the firewalls: • If the old firewalls are running the same PAN‐OS feature
release as the new firewalls or are within one feature release of the new firewalls, continue to Step 9.
• If the old firewalls are running a PAN‐OS release that is two or more feature releases older than what is running on the new firewalls, upgrade the old firewalls to the same release as the new firewalls. Alternatively, if the new firewalls are running a PAN‐OS release that is older than the what is running on the old firewalls, upgrade the new firewalls to the same release as the old firewalls.You can find details on upgrading a firewall in the New Features guide for each release. For example, to upgrade to PAN‐OS 8.0, refer to New Features Guide Version 8.1.
Migrate to New Firewalls (Continued)
8 • Firewall Migration Guide © Palo Alto Networks, Inc.
Firewall Migration Migrate to New Firewalls
Step 9 (Virtual system and jumbo frame mode only) If the old firewalls are in multi‐vsys mode or jumbo frame mode, enable the same modes on the new firewalls.
If either of these modes are enabled on the old firewalls, you must enable them on the new firewalls before you import and commit the device state from the old firewalls.
Perform the appropriate step(s) that pertain to the firewall configuration:• To enable virtual system mode:
1. Select Device > Setup > Management and edit General Settings.
2. Select Multi Virtual System Capability.
3. Click OK and Commit.• To enable jumbo frame mode:
1. Select Device > Setup > Session and edit Session Settings.
2. Enable Jumbo Frame.
3. Click OK and Commit.
4. Reboot the firewall (Device > Setup > Operations > Device Operations).
Step 10 (Optional ‐ for custom master key only) Set the master key on the new firewalls to match the keys you defined on the old firewalls so the new firewalls can decrypt keys and passwords in the configuration.
1. On the new firewalls, select Device > Master Key and Diagnostics and edit the Master Key settings.
2. Enter the New Master Key and Confirm New Master Key.
3. Click OK. The firewalls will auto‐commit the new master keys.
Step 11 Export the device state from the old firewalls.The device state export contains most firewall configuration settings, including local configuration settings and settings pushed by Panorama (if the firewalls are managed by Panorama). If the firewall is configured for a GlobalProtect™ Large‐scale VPN, the device state export also contains the required certificates and private keys.
1. Notify all administrators that have access to the old firewalls that a migration is in progress and take a config lock (click the lock icon next to Config) on the old firewalls to prevent unexpected configuration updates.
2. Commit any pending configuration updates on the old firewalls (Old‐FW‐A and Old‐FW‐B).
3. Select Device > Setup > Operations on the Old‐FW‐A firewall.
4. Export device state file to your computer.
5. Rename the device state file to a name that helps you identify it later. For example, rename device_state_cfg.tgz to Old‐FW‐A‐device‐state.tgz.
6. Repeat steps 3, 4, and 5 for the Old‐FW‐B firewall and name the device state file Old‐FW‐B‐device‐state.tgz.
Step 12 Import the device state from the old firewalls to the new firewalls.
Do not commit the configuration until instructed to do so in Step 17.
1. Select Device > Setup > Operations on the New‐FW‐C firewall.
2. In the Configuration Management section, click Import device state.
3. Browse to and open the device state file that you exported from the old firewall (Old‐FW‐A‐device‐state.tgz in this example).
4. Click OK but do not commit, yet. The new device state configuration is now the candidate configuration.
5. Repeat these steps for the New‐FW‐D firewall but import the device state from the old passive firewall (Old‐FW‐B‐device‐state.tgz in this example).
Migrate to New Firewalls (Continued)
© Palo Alto Networks, Inc. Firewall Migration Guide • 9
Migrate to New Firewalls Firewall Migration
Step 13 Create a temporary superuser account on the new firewalls.
Create a username that does not exist on the old firewalls. This ensures that you can log in to the new firewalls if there is an issue with the imported accounts.
1. Select Device > Administrators and Add a new administrator.When you imported the device state in the previous step, the device state becomes the candidate configuration and is not active until you commit. When you create or modify administrator accounts, those changes are immediately activated. Because of this, when you create the temporary administrator account and click OK, your session will time‐out and you will need to log back in using the new temporary account or by using an account that exists on the old firewall.
2. Enter a Name, such as migrate‐admin.
3. Enter a new Password and Confirm. Store the credentials in a safe place.
4. Set the Administrator Type to Dynamic, select Superuser from the drop‐down, and click OK but do not commit, yet. Your current session will time‐out.
5. Log back in using the new temporary account.
6. Repeat these steps to create a temporary superuser account on the New‐FW‐D firewall.
Step 14 Change the management IP addresses on the new firewalls to the temporary management IP addresses you set in Step 4 and Step 5. This will prevent IP address conflicts with the old firewalls after you commit the device state.
1. Select Device > Setup > Interfaces and click Management. In PAN‐OS release version 7.1 and earlier, this setting is in Device > Setup > Management.
2. Enter the temporary management IP information (IP Address, Netmask, and Gateway) or select DHCP.
3. Click OK but do not commit, yet.
Step 15 Reconfigure Ethernet interfaces if there is a mismatch between the old and new firewalls.
If the new firewalls have higher speed Ethernet ports or different connector types (SFP for example) than the old firewalls, reconfigure the mismatched interfaces before you commit and install the appropriate connectors and cables.For example, if you migrate from a PA‐2050 firewall to a PA‐3020 firewall, the first 16 Ethernet ports on the PA‐2050 firewall are RJ‐45 10/100/1000Mbps ports but on a PA‐3020 firewall the first 12 ports are RJ‐45 10/100/1000Mbps ports and the remaining ports are SFP ports (ports 13‐20).
Step 16 (Panorama only) Add the new firewalls to Panorama.
Leave the serial numbers of the old firewalls in Panorama so you can continue to view logs and run reports. Be aware that leaving the old firewalls in Panorama will count against your Panorama license so you should remove the old firewall at some point.
1. Add the serial numbers of the new firewalls to the Panorama server that is managing the old firewalls as described in Add a Firewall as a Managed Device.
2. Add the new firewalls to the same device group and templates (or template stacks) as the old firewalls as described in Manage Firewalls.
3. Commit the Panorama configuration so Panorama can start managing the new firewalls.
Migrate to New Firewalls (Continued)
10 • Firewall Migration Guide © Palo Alto Networks, Inc.
Firewall Migration Migrate to New Firewalls
Step 17 Commit the configuration on the new firewalls.
To prevent network flow issues and IP address conflicts, do not connect the network cables until Step 22.
1. Commit New‐FW‐C firewall. If the firewall is running a PAN‐OS 7.0 or later release, you can validate the new configuration before you commit. After you import a device state, Commit indicates that there are no pending configuration changes and that a full commit is available. Continue with the commit to complete the operation.
If you see configuration errors in the commit output, resolve errors as needed until the commit is successful.
2. Commit New‐FW‐D firewall.You will need to resolve any configuration issues on both firewalls if they are managed by Panorama because HA does not synchronize configurations pushed by Panorama.
3. Reboot the firewalls to complete the operation. Select Device > Setup > Operations, click Reboot Device, and click Yes.
Step 18 (GlobalProtect LSVPN only) If the old firewalls were configured as a GlobalProtect LSVPN satellite, you may need to reauthenticate the new firewalls depending on the LSVPN portal configuration.
If the portal uses serial number authentication, add the serial numbers of the new firewalls to the portal.If the portal is configured to authenticate satellites using username and password, the satellite will successfully connect to the portal because the required configuration is migrated in the device state import.
No additional steps (related to GlobalProtect) are required if the new firewalls are configured as a GlobalProtect portal or gateway.
Step 19 (HA1 encryption only) If HA1 encryption is enabled on the old HA pair, enable it on the new HA pair and exchange HA keys between the new firewalls. Otherwise, continue to Step 20.HA1 encryption is used to secure the communication between the HA1 links on the firewalls when the link is not directly connected (ports are connected to a switch or a router). When performing an upgrade to new firewalls, you will use the HA keys that are generated on the new HA pair, so there is no need to export the HA keys from the old firewalls.
1. On the New‐FW‐C firewall and the New‐FW‐D firewall, select Device > High Availability > General and Enable HA in the Setup section.
2. On the New‐FW‐C firewall, Select Device > Certificate Management > Certificates and click Export HA Key.
3. On the New‐FW‐D firewall, Import HA Key that you exported from the New‐FW‐C firewall.
4. Repeat steps 2 and 3, but in this case, export the HA key from the New‐FW‐D firewall and import it to the New‐FW‐C firewall.
For more details, refer to Configure Active/Passive HA or Configure Active/Active HA.
Step 20 (Optional) Configure and connect dedicated HA ports. If the old firewalls do not have dedicated HA ports and you are upgrading to firewalls that do, modify the configuration on the new firewalls to use the dedicated ports. The dedicated HA ports improve HA communication.
Review HA Links and Backup Links for information about the available HA ports and supported firewalls and then refer to Configure Active/Passive HA or Configure Active/Active HA for information on how to configure HA ports.
Migrate to New Firewalls (Continued)
© Palo Alto Networks, Inc. Firewall Migration Guide • 11
Migrate to New Firewalls Firewall Migration
Step 21 Temporarily disable HA link monitoring to prevent failover flapping issues while you complete the remaining steps.
1. On the New‐FW‐C firewall, select Device > High Availability > Link and Path Monitoring and edit Link Monitoring.
2. Deselect Enabled.
3. Click OK and Commit.
4. Perform these same steps on the New‐FW‐D firewall.
Step 22 Move cables (Ethernet, management, and HA) from the old firewalls to the new firewalls. Alternatively, you can connect new cables to the new firewalls.
Label all cables before you disconnect them so you can easily identify them when moving them from the old firewalls to the new firewalls.
1. Schedule a maintenance window to allow time to disconnect cables from the old firewalls and cable the new firewalls.
2. Move the Console and MGT port cables from the old firewalls to the new firewalls.
3. Move the Ethernet cables from the old firewalls to the new firewall ensuring that you move each cable to the correct port on each firewall. For example, move the ethernet1/1 cable on the Old‐FW‐A firewall to ethernet1/1 on the New‐FW‐C firewall and move the ethernet1/1 cable on the Old‐FW‐B firewall to ethernet1/1 on the New‐FW‐D firewall.
Step 23 Clear the MAC table and ARP entries from adjacent network equipment, such as switches and routers.This is required because you are migrating the interface configuration from the old firewalls to the new firewalls and the new firewalls have different MAC addresses.If the network equipment uses static MAC addresses based on the interfaces on the old firewalls, change those MAC addresses to the MAC addresses of the interfaces on the new firewalls.
Perform this procedure yourself or contact your network administrator if you do not have access to the network equipment.
Step 24 Verify traffic flow on the new firewalls.If active/passive HA is configured, you will not see active sessions on the passive firewall.
View sessions from the web interface or from the command line interface (CLI):• Web interface—Select Monitor > Session Browser.• CLI—Run the show session all operational command.The session information shows the traffic flow between zones. After a session ends, you can then view more details in the traffic logs (Monitor > Logs > Traffic).
Step 25 (Optional) Update the management (MGT) interface configuration on the new firewalls using the configuration from the old firewalls.
Have a serial console connection ready in case you lose access to the MGT interface.
1. Disconnect the MGT cables from the old firewalls.
2. Select Device > Setup > Management and edit the Management Interface Settings on firewalls the New‐FW‐C firewall and the New‐FW‐D firewall.
3. Enter the MGT configuration (IP Address, Netmask, and Default Gateway) on the New‐FW‐C firewall using the settings from the Old‐FW‐A firewall and enter the MGT configuration on the New‐FW‐D firewall using the settings from the Old‐FW‐B firewall.
4. Click OK and Commit.
Migrate to New Firewalls (Continued)
12 • Firewall Migration Guide © Palo Alto Networks, Inc.
Firewall Migration Migrate to New Firewalls
Step 26 Enable HA link monitoring. 1. On the New‐FW‐C firewall, select Device > High Availability > Link and Path Monitoring and edit Link Monitoring.
2. Select Enabled.
3. Click OK and Commit.
4. Perform these same steps on the New‐FW‐D firewall.
Step 27 Verify that HA is operational. 1. Access the management web interface on the New‐FW‐C firewall or the New‐FW‐D firewall.
2. Select Dashboard and add the High Availability widget (Widgets > System > High Availability).In this example, the current firewall is the passive firewall in a functional HA configuration with all items synchronized.
3. Verify failover.For details on configuring HA, refer to the High Availability topic in the PAN‐OS Administrator’s Guide.
Step 28 (Optional) Upgrade the new firewalls.We recommend that you wait a few days to ensure that the new firewalls are operating normally before you upgrade PAN‐OS. Also, test HA failover on the new firewalls and ensure that you are taking regular backups.
To take full advantage of the features of the new firewalls, upgrade them to the latest PAN‐OS release.You can find upgrade details in the New Features guide for each release. For example, refer to Upgrade to PAN‐OS 8.0. Also review the release notes before you upgrade. For example, refer to the PAN‐OS 8.0 Release Notes.
Migrate to New Firewalls (Continued)
© Palo Alto Networks, Inc. Firewall Migration Guide • 13
Migrate to New Firewalls Firewall Migration
14 • Firewall Migration Guide © Palo Alto Networks, Inc.
