Scribd
Upload
304 views5 pages

How To Configure An RMA Replacement Firewall

Uploaded by

miaocongcong1992
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
304 views5 pages

How To Configure An RMA Replacement Firewall

Uploaded by

miaocongcong1992
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

2022/8/1 10:04 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?

id=kA10g000000Clkn

How to Configure an RMA Replacement Firewall


Created On 09/25/18 20:40 PM - Last Modified 01/28/22
04:07 AM

RMA Deployment Device Management

Initial Configuration Installation Hardware PAN-OS


281315
Symptom
How to Configure an RMA Replacement Firewall

Environment
Palo Alto Firewall managed by Panorama.
Any PAN-OS.

Resolution
Overview
To replace or repair a firewall, open a case requesting an RMA with an authorized support provider. This document
discusses how to prepare the replacement firewall for the production environment.

If you are replacing a device in HA, you can use the following How to Configure a High Availability Replacement Device

Steps
Register the new firewall and transfer licenses:
Upon receipt, register the new device and transfer licenses from the old unit. After Palo Alto Networks receives
the failed device, the old licensing is stripped, so it is important to transfer the licenses immediately.
To transfer the license, follow these instructions: How to Transfer Licenses to a Spare Device
Note: When a license is transferred to the spare device, the original device still has a 30-day evaluation license.
Configure the Management Interface.
Default Management Interface IP is 192.168.1.1 and default login/password is admin/admin.
Configure either NTP (Device > Setup > Services) or date and time (Device > Setup > Management >
General Settings)
Configure the Management Interface to have internet access and a DNS server configured under
Device > Setup > Services. This interface should be able to communicate with
updates.paloaltonetworks.com.
Alternatively, configure a service route to enable a Layer 3 interface with internet access for
management. The appropriate interfaces, routing, and policies must be configured on the device. Go to
Device > Setup > Service Route Configuration and choose the appropriate interface IP address for
paloalto-updates and dns. An example is provided below:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn 1/5
2022/8/1 10:04 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn

Note: Refer to How to Configure the Management Interface IP to set up the IP address for the
management interface.

Retrieve licenses previously transferred to the device. Go to Device > Licenses > Retrieve license keys
from license server. The licenses for each feature display on the same page. Be sure to have a URL
filtering license, that URL filtering is activated, and that the database has been successfully
downloaded. If a link "Download Now" is displayed, the database is not downloaded. A successfully
activated and downloaded PAN-DB URL filtering database looks like this:

The device is now ready to be upgraded, if needed. Download and install the available Apps or
Apps+Threats package from Device > Dynamic Updates > Applications and Threats > Check Now.
The device lists available packages to download and install.
To update the PAN-OS, go to Device > Software > Refresh.
Additional information about PAN-OS upgrades: How to Upgrade PAN-OS and Panorama

Enable multi-vsys or jumbo-frames same as old firewall if applicable:

> set system setting multi-vsys on


> set system setting jumbo-frame on
To load a previously backed up configuration on the replacement device, follow the below use
cases:

Case 1: Old device is still connected to the network and firewall was not managed from
panorama:

Assuming that only the management network on the new firewall has been connected.
On the old device, save Device > Setup > Save Named Configuration Snapshot and then
export Device > Setup > Export Named Configuration Snapshot.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn 2/5
2022/8/1 10:04 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn

On the new device go to Device > Setup > Import Named Configuration Snapshot to import
the backed up configuration onto the device.
Once the configuration is imported, load the imported configuration, go to Device > Setup >
Load Named Configuration Snapshot.
Change the management IP and hostname so that it does not create a conflict with the
existing device if connected to the same management network. Later on, this can be changed
back if required.
Resolve any commit errors and commit the configuration.
Remove the old device, move the network cables to the new device.

Case 2: Old device is still connected to the network and firewall is managed from panorama:
Assuming only management of the new device is connected, go to old device and export
device state: Device > Setup > Export Device State.
Go to the new device: Device > Setup > Import Device State to import the backed-up
device state onto the device. Once you do this, the firewall will get exact same settings as
old device (Same IP and hostname as well). No need to load any configuration.
At this point, you can remove the old firewall.
On Panorama CLI, replace the old serial number with a new serial number: replace
device old <old SN#> new <new SN#> and commit local and push commit to
firewall also to bring in sync.

Case 3: Old device is no more available to take a backup and the firewall was not managed from
Panorama
When you no longer have access to the machine, you will need to look for the config in
any place you can think of. This includes looking for tech support files that are backed
up somewhere in old support cases or in your environment, where may be saved.
ALWAYS REMEMBER TO BACKUP YOUR CONFIG.
Look for old tech support from an old firewall. You can get the configuration from
/opt/pancfg/mgmt/saved-config/running-config.xml
If no previous tech supports are available, then we maybe able to use maintenance mode
on the firewall to backup the old config: How to Retrieve the Palo Alto Networks Firewall
Configuration in Maintenance Mode
Once the Tech Support file is found, take the running-config.xml file and import it into the
new firewall. Device > Setup > Import Named Configuration Snapshot. Commit and
make sure the device is up and running.

Case 4: Old device is no more available to take a backup and the firewall is managed from
Panorama.
From Panorama take a backup of the configuration bundle: Panorama > Setup >
Operations > Export Panorama and devices config bundle. In this file, there is a .xml file
with the name containing the serial number of the old firewall. This configuration can be
used to load on the new device. However, keep in mind this is only a copy of the local
config of the firewall and does not contain Panorama pushed configuration.
Assign IP to the new firewall management port, and commit so that it will be connected
to Panorama after importing the config in the steps below.
On Panorama replace the old S/N with new S/N: replace device old <old SN#>
new <new SN#> and commit locally. Do NOT Push the config yet to the new firewall.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn 3/5
2022/8/1 10:04 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn

From the Panorama and devices config bundle, use the config corresponding to the old
device S/N and import and load it on the new firewall. Do NOT Commit yet.
From Panorama now push a DG and Template commit to the new firewall. This commit
should merge the candidate and pushed the config from Panorama.
If no commit errors, the device should be up and running.

Case 5: Old device is no more available to take a backup from and the firewall is managed using
Panorama, but the firewall communicates with panorama using a data plane port requiring the
firewall to have the complete configuration to be able and communicate with it.
The full configuration includes the Centralized configuration that Panorama manages and
the Local configuration of the firewall.
The device states of these firewalls can be generated and exported from the managing
Panorama.
Panorama can generate the device state based on the last committed local config plus the
Panorama config.
Refer to this article How to Export Device State of Managed Firewalls from Panorama
By replacing the serial number and importing the firewall state, we can resume using
Panorama to manage the firewall.
From Panorama CLI use the command: tftp export device-state device <serial number>
to <server-ip> or scp export device-state device <serial number> to pantac@<scp-
server-ip>:/home/
Next, using the device state import it into the New device and get it up to restore the
communication with Panorama.
On Panorama replace the old S/N with new S/N: replace device old <old SN#> new >new
SN#> and commit local.
The Panorama should now show as "connected" for the new device. Panorama >
Managed Devices > Summary
From Panorama now push a DG and Template commit to the new firewall. This commit
should merge the candidate and pushed the config from Panorama.
If no commit errors, the device should be up and running.
If you are using any NAT IPs for source and destination NAT which are in the same subnet as NAT
interface (except the IP of the interface itself), you will need to do a manual Gratuitous ARP from
the firewall to update the peer's ARP table. For example, your interface IP is 198.51.100.1/24, and
you are using 198.51.100.2 for NAT, you need to send GARP for 198.51.100.2.

> test arp gratuitous ip <ip> interface <interface>

Return the defective device. To restore the factory default before returning, refer to How to
Factory Reset a Palo Alto Networks Device or if running PAN-OS 6.0 and later, review How to SSH
into Maintenance Mode because the SSH to maintenance mode is possible. Customers whose
support subscription includes advance replacement of a failed firewall must return the defective
unit to Palo Alto Networks after receiving the replacement.
United States Customers - A return shipping label will be in the carton with the replacement. Affix
the label to the carton to return the defective unit.
International Customers - Refer to return instructions and documents in the replacement shipping
carton.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn 4/5
2022/8/1 10:04 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn

Additional Information
NOTE:
There may be a 5-15 wait period during the auto-commit so that the commit process can complete thoroughly. Please see
the following article for further details: How to Determine When Auto-Commit is Complete.

Attachments

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn 5/5

You might also like