Palo Alto Networks Knowledgebase: DotW: Restoring Configuration Between Platforms

DotW: Restoring Configuration Between Platforms

1635
Created On 02/08/19 00:07 AM - Last Updated 02/08/19 00:07 AM
Resolution

Have you planned a hardware upgrade in the future and want to reuse a configuration file? Are you trying to figure out how to go about restoring a backup configuration from a PA5000 series to a PA3000? Can you just move a config file from one device to the other? These are questions that live in the Community.  User dfeddersen was puzzled and dropped this question in the discussion forum:

 

Screen Shot 2016-05-09 at 10.20.55.pngQuestion posted in discussion forum

 

Sure enough, different hardware platforms have different properties and what is valid on one platform might not be valid on the other.  How do you move forward when facing this conundrum?

 

Several users jumped in on this discussion, sharing their experiences and insight.

 

Although it is possible to move configurations from one platform to the other, there are some considerations.  User jvalentine pointed out the interface numbers and HA interfaces might already be different, depending on the platform. Aside from that, there are less obvious differences.  Different platforms might not support the same number of objects you have in your configuration file.  The higher end devices support more objects where the smaller units might be exceeding their capacity with the same number of objects.

 

As long as you're not exceeding the capacity of the smaller units, you should be OK. As jvalentine pointed out, if you run into any problems, you can edit the .xml config file to resolve the issue.

 

An obvious example of the above is the number of security zones.  The PA-200 will support up to 10 security zones, the PA-500 will support 20, and the PA-5060 will support up to 900 security zones !

 

JDominguez also jumped in on the discussion with a word of warning.  Editing the xml file is not without risk.  You can even end up with a corrupt file, if you're not careful.  A warned man counts for two! So ALWAYS make a backup copy of the original file! JDominguez also referred to the migration tool.  This is a very powerful tool that you can find here:

 

Migration Tool Download Page

 

Aside from being a migration tool, you can also use this tool to audit your configuration and clean it.  Just a few examples of the tool's possibilities are to merge rules, bulk-rename objects, bulk-edit rules, etc.

 

Note that there is a seperate discussion section of this tool here on Live: 

 

Migration Tool Topics

 

Veteran contributor pulukas also joined the discussion with his experience on this subject. He uses a basic text editor to make the necessary changes using the search/replace technique.  When you're done modifying the config like this, you can go ahead and upload the file to the new device.

 

Pulukas does point out this gets trickier when you want to load just part of the configuration.  You can do this using the 'load config partial' commands in configuration mode.  Here's another article explaining how to do that:

 

How to Load Partial Configurations

 

You can follow the full discussion here !

 

Cheers!

-Kiwi

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTcCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language