Hardware Migration from PA2000 to PA3000 or PA5000

Hardware Migration from PA2000 to PA3000 or PA5000

Created On 09/25/18 18:40 PM - Last Modified 02/07/19 23:53 PM


This article provides a step-by-step procedure for migrating from PA2000 series firewalls to the new PA3000 or 5000 series firewalls.


  • Export a configuration snapshot from the old firewall. Go to Device > Setup > Operations > Export named configuration snapshot.


  • Export device state (if the firewall is managed by Panorama). Go to Device > Setup > Operations > Export device state.



Otional step:

  • Set the Master key on the new firewall to be identical to the master key of the old firewallmaster key.png



  • Import configuration snapshot/device state on the new firewall. Go to Device > Setup > Operations > Import named configuration snapshot OR Import device state.



  • Load the config on the new firewall. (This step is not required if device state is imported). Go to Device > Setup > Operations > Load named configuration snapshot.


  • Change management interface settings (if required). Go to Device > Setup > Management > Management Interface Settings.



  • Make sure that the interfaces are physically connected exactly the same as they were on the old firewall and the PAN-OS versions of the old and new firewalls are the same.
  • Commit.


On Panorama:

  • Delete the old firewall from the device group, template and managed devices.
  • Add the new firewall in the managed devices and add it to a template and device group.
  • Perform a device group and template commit to push the device group and template config to the firewall to have it in sync.

The above can also be done in the CLI on the Panorma appliance using the following command:


     > replace device old <value> new <value>


  • Physically disconnect the cable from the old firewall and connect it to the new firewall to complete the cutover.


  • Print
  • Copy Link


Choose Language