Upgrade From PA-220 To PA-440

Step 1) Get a PA-440 from your reseller.

Step 2) Power On PA-440

Step 3) Connect Micro USB cable into console, and then USB-A into Workstation of choice, with OS of choice. I will be using a HP Laptop with Windows 11.

  • Baud Rate: 9600
  • Data Bits: 8
  • Parity: None
  • Stop Bits: 1
  • Flow Control: None

Login as admin:admin and change the password.

Step 4) Disable ZTP. Unless you are working with a consultant or advanced VAR you probably won’t be using ZTP (Zero Touch Provisioning), this will prevent us from configuring a static IP address on the MGMT port.

> set system ztp disable

Now wait for the firewall to reboot.

Step 5) Configure a static IP for the PA-440 MGMT port:

> configure
> set deviceconfig system type static ip-address <IP_ADDRESS> netmask <NETMASK> default-gateway <DEFAULT_GATEWAY>
> commit

At this point you can plug a network cable into the MGMT port and into the switch in your network stack that will allow it to communicate to the internet and whatever devices are on the same subnet.

Step 5) Adjust any existing firewall rules to allow the MGMT port to access internet. primarily “paloalto-updates” app type if you are already using a PA series firewall, and want to be really strict on the rules.

Step 6) Register the device with your account on the Palo Alto Support portal. This is required when using the “grab licensees from online servers” option in the firewall. If you are using the device in an offline fashion then you will need to use the activation codes, which is outside the scope of this blog.

Step 7) Activate the PA-440 by checking online for licenses.

Congrats we got the first basic deployment steps configured for the PA-440. We can now manage it via the Web interface on the MGMT port. Now we’ll export the config from the PA-220, and import it into the PA-440.

Step 8) Export existing config from PA-220.

Device -> Setup -> Operational -> Save named snapshot -> name it

Device -> Setup -> Operational -> Export named snapshot -> the one named above

Step 9) On the PA-440 Import the config.

Device -> Setup -> Operational -> Import named snapshot -> the one named above

Device -> Setup -> Operational -> Load named snapshot -> name it

In my case I had a URL security definition that was causing a validation fault. So I had to check for new apps n threats packages and applied the latest one.

This most likely happened cause my export config had a later apps n threats definition then what the new firewall had available.

After this the commit validated without issue.

Step 10) Use Auth codes to activate all features.

Step 11) Commit

Step 12) Power off PA-220, and replace with the PA-440. Plugging network cables 1 for 1 in place, since they both have 8 ports it’s just direct in place drop.

Now that I got a PA-440 with all the bells n whistles, stay tuned for more Palo Alto Networks tutorials. I’ll review what I’ve covered in the past on my website and attempt to avoid duplicates, if I do find those I’ll update those post, otherwise I’ll create a new one for new deployments.

Hope this helps someone.

Leave a Reply

Your email address will not be published. Required fields are marked *