(Optional) Set the operational mode to match that on the old firewall. A serial port connection is required for this task.
Enter the following CLI command to access maintenance mode on the firewall:
debug system maintenance-mode
To boot into the maintenance partition, enter maint during the boot sequence.
Select the operational mode as "Set FIPS Mode or Set CCEAL 4 Mode" from the main menu.
(Optional) Set the system settings to match the output from the commands in steps (2) and (3) in the previous section.
Configure Management Access to the replacement device
Access the console and login using the default credentials:
Password: admin (This may vary depending on the PAN-OS version. Refer documentation for the default password)
Configure the management IP address, netmask, and gateway, as well the DNS and update servers using the following CLI command:
# set deviceconfig system ip-address <value> netmask <value> default-gateway <value>
# set deviceconfig system dns-setting servers primary 18.104.22.168
# set deviceconfig system update-server updates.paloaltonetworks.com
Ping a domain to test, for example:
> ping host paloaltonetworks.com
Obtain licenses from the license server.
Go to GUI: Device > Licenses.
Click Retrieve license keys from the license server.
Make sure to have a URL filtering license and that the URL filtering is both activated and that the database has been successfully downloaded. Note: If a link "Download Now" is displayed the database has not. downloaded.
Install the same GlobalProtect Client and PAN-OS versions on the replacement device as the existing HA Peer
Install the GlobalProtect Client.
Go to Device > GlobalProtect Client
Download and activate the appropriate version of the client.
Go to Device > Software.
Download and install the appropriate image.
Make sure dynamic updates have the same version as the HA peer. If not, then download and install the appropriate version:
GUI:Device > Dynamic Update > Download > Install.
If the device is being managed from Panorama, replace the old serial number with the new one:
> replace device old <Old Serial #> new <New Serial #>
Restore the configuration:
For multi-vsys enabled systems, first enable multi vsys capability :
> set system setting multi-vsys on
(Optional) Enable jumbo frames and session distribution policy to match the old device.
> set system setting jumbo-frame on (reboot required to take effect)
> set session distribution policy [ fixed | hash | ingress-slot | random| round-robing | session-load ]
Go to GUI:Device > Setup > Operations.
Click "Import device state" and import the previously backed up configuration from the faulty device.
Commit once the import of the device state is complete.
Ensure the new device stays in a passive state to prevent the configuration from being pushed to the active device.
Suspend the new unit from the CLI run the command:
> request high-availability state suspend
From the GUI go to GUI: Device > High Availability > Operations > Suspend local device. or
Perform the config change:
Go to Device > High Availability > General > Setup and uncheck the Enable Config Sync option. Disable "Preemptive" under Election Settings. Configure the device with the highest Device Priority value (255). Perform a commit Note: The device will not become active with this configuration. Refer to High Availability Synchronization
Connect HA1 Interfaces.
Make sure the replacement device has the same configuration as the active device.
Go to the Dashboard tab and check the High Availability widget. Note: If the High Availability widget is not displayed, then click Widgets > System > High Availability.
If the configurations are not the same, go to Device > High Availability and click "Push configuration to peer" from the active device.
Verify there are no active commit jobs running and the devices are in sync. Use the commands below
show jobs all
show high-availability all | match "Running Configuration"
Verify there is no difference in idmgr between the devices.
debug device-server dump idmgr high-availability state
Log into the Active unit. Go to Device > Config Audit > Do config audit between "Running Config" and "Peers Running Config." Make sure both are the same. If the case of any differences, try to manually configure the passive unit.
"Config Difference" can occur if a configuration backup was not taken for the faulty device, so the new device won't have the same configuration as the active unit. In this case, manual configuration is required.
Enable config sync (Device > High Availability > General > Setup) and preemptive (Device > High Availability > General > Election Settings) on the replacement device.
Commit the changes.
Connect the HA2 interface and wait for the session synchronization to be completed.
If the Firewall is suspended during step 6, Unsuspend the device now