Plan Your Routing Engine Migration
Table of Contents
Plan Your Routing Engine Migration
Overview of legacy routing engine to advanced routing
engine migration process.
Beginning with PAN-OS® 10.2, we introduced an advanced routing engine for
the
Palo Alto Networks family of Next-Generation Firewalls
that has more features and is more flexible than
the legacy routing engine. You can enable the advanced routing engine and migrate
an existing firewall configuration that uses the legacy routing engine to the advanced
routing engine. However, there are significant differences between the legacy and
advanced routing engines that
may
require you to monitor and provide information for your environment during
the migration process.
To migrate Panorama managed firewalls, both Panorama and local firewall configuration
must be migrated as follows:
- Enable Advanced Routing on Panorama to migrate and push the Panorama configuration to all devices.
- Disable Advanced Routing in each Panorama managed firewall and don't commit the changes.
- Enable Advanced Routing for each firewall managed by Panorama to migrate the local firewall configuration.
- Commit the changes on each firewall and restart the firewalls for the changes to take effect.
After you enable Advanced Routing on a firewall or through your
Panorama management server, a built-in migration script will migrate your existing
legacy routing
configuration to the advanced routing
engine
configuration. When the script finishes, the
Migration Configuration displays color codes that indicate
the migration status.
If a migration exception occurs, it’s highlighted in yellow or orange depending on the
action required.
Additionally,
any exceptions detected during the migration process result in an incomplete migration
and you will need to resolve the issue before you can attempt the migration process
again.
|
STATUS COLOR CODE
|
STATUS DESCRIPTION
| ACTION |
|---|---|---|
|
Green
|
No issues were encountered when migrating the existing protocol
features into the advanced routing engine configuration.
|
No action required.
|
|
Yellow
|
The advanced routing engine supports one or more features that exist
in the legacy routing engine configuration but uses different
parameters.
|
No action is required because the alternate configuration guideline
is available.
|
|
Orange
|
One or more features or settings are no longer supported.
|
Identify if any configuration correction is required and update the
configuration after migration manually.
|
|
Red
|
A migration script failure occurred.
| Generate the technical support file, log in to Palo Alto Networks Customer Support Portal, and report your issues to get help with your product. |
This migration reference includes information about any exceptions and proposes solutions
that help make the migration process go as smoothly as possible.
Review the specific protocols listed in this migration reference before you begin the
migration process. If you find that there are exceptions, either fix them beforehand or
identify the appropriate solution before the script pauses for your input. After the
migration is complete, ensure that the key elements of your design are preserved by
reviewing the final configuration.
To ensure an accurate migration
process on the
firewalls, including high availability (HA) active/active and active/passive
configurations take snapshots of both the
Routing Information Base (RIB) and Forwarding Information Base (FIB) before you
begin the migration process and then compare the results after the migration.