How to Configure an RMA Replacement Firewall
- Register the new firewall and transfer licenses:
Upon receipt, register the new device and transfer licenses from the old unit. After Palo Alto Networks receives the failed device, the old licensing is stripped, so it is important to transfer the licenses immediately.
To transfer the license, follow these instructions: How to Transfer Licenses to a Spare Device
Note: When a license is transferred to the spare device, the original device still has a 30-day evaluation license.
- Configure the Management Interface.
- Default Management Interface IP is 192.168.1.1 and default login/password is admin/admin.
- Configure the Management Interface to have internet access and a DNS server confgured under Device > Setup. This interface should be able to communicate with updates.paloaltonetworks.com.
- Alternatively, configure a service route to enable a Layer 3 interface with internet access for management. The appropriate interfaces, routing, and policies must be configured on the device. Go to Device > Setup > Service Route Configuration and choose the appropriate interface IP address for paloalto-updates and dns. An example is provided below:
Note: Refer to How to Configure the Management Interface IP to set up the IP address for the management interface.
- Retrieve licenses previously transferred to the device. Go to Device > Licenses > Retrieve license keys from license server. The licenses for each feature display on the same page. Be sure to have a URL filtering license, that URL filtering is activated, and that the database has been successfully downloaded. If a link "Download Now" is displayed, the database is not downloaded. A successfully activated and downloaded PAN-DB URL filtering database looks like this:
- The device is now ready to be upgraded, if needed. Download and install the available Apps or Apps+Threats package from Device > Dynamic Updates > Applications and Threats > Check Now. The device lists available packages to download and install.
- To update the PAN-OS, go to Device > Software > Refresh.
Additional information about PAN-OS upgrades: How to Upgrade PAN-OS and Panorama
Enable multi-vsys or jumbo-frames same as old firewall if applicable:> set system setting multi-vsys on> set system setting jumbo-frame on
- To load a previously backed up configuration on the replacement device, follow the below use cases:
- Case 1: Old device is still connected to the network and firewall was not managed from panorama:
- Assuming that only management network on the new firewall has been connected.
- On old device, save Device > Setup > Save Named Configuration Snapshot and then export Device > Setup > Export Named Configuration Snapshot.
- On new device go to Device > Setup > Import Named Configuration Snapshot to import the backed up configuration onto the device.
- Once the configuration is imported, load the imported configuration, go to Device > Setup > Load Named Configuration Snapshot.
- Change the management IP and hostname so that it does not create a conflict with the existing device if connected into same management network. Later on this can be changed back if required.
- Resolve any commit errors and commit the configuration.
- Remove the old device, move the network cables to the new device.
- Case 2: Old device is still connected to the network and firewall is managed from panorama:
- Assuming only management of new device is connected, go to old device and export device state: Device > Setup > Export Device State.
- Go to new device: Device > Setup > Import Device State to import the backed up device state onto the device. Once you do this, the firewall will get exact same settings as old device (Same IP and hostname as well). No need to load any configuration.
- At this point you can remove the old firewall.
- On Panorama CLI, replace the old serial number with new serial number: replace device old <old SN#> new <new SN#> and commit local and push commit to firewall also to bring in sync.
- Case 3: Old device is no more available to take a backup and firewall was not managed from Panorama
- When you no longer have access to the machine, you will need to look for the config in any place you can think of. This includes looking for tech support files that are backed up somewhere in old support cases or in your environment, where may be saved. ALWAYS REMEMBER TO BACKUP YOUR CONFIG.
- Look for an old tech support from an old firewall. You can get the configuration from /opt/pancfg/mgmt/saved-config/running-config.xml
- If no previous tech supports are available, then we maybe able to use maintenance mode on the firewall to backup the old config: How to Retrieve the Palo Alto Networks Firewall Configuration in Maintenance Mode
- Once the Tech Support file is found, take the running-config.xml file and import it into the new firewall. Device > Setup > Import Named Configuration Snapshot. Commit and make sure device is up and running.
- Case 4: Old device is no more available to take a backup and firewall is managed from Panorama.
- From Panorama take a backup of configuration bundle: Panorama > Setup > Operations > Export Panorama and devices config bundle. In this file, there is a .xml file with the name containing serial number of old firewall. This configuration can be used to load on the new device. However keep in mind this is only a copy of local config of the firewall and does not contain Panorama pushed configuration.
- Assign IP to the new firewall management port, and commit so that its connected to Panorama.
- On Panorama replace the old S/N with new S/N: replace device old <old SN#> new <new SN#> and commit local. Do NOT Push the config yet to the new firewall.
- From the Panorama and devices config bundle, use the config corresponding to old device S/N and import and load it on the new firewall. Do NOT Commit yet.
- From Panorama now push a DG and Template commit to the new firewall. This commit should merge the candidate and pushed config from Panorama.
- If no commit errors, device should be up and running.
If you are using any NAT IPs for source and destination NAT which are in same subnet as NAT interface (except the IP of interface itself), you will need to do a manual Gratuitous ARP from the firewall to update the peers ARP table. For example your interface IP is 198.51.100.1/24, and you are using 198.51.100.2 for NAT, you need to send GARP for 198.51.100.2.> test arp gratuitous ip <ip> interface <interface>
Return the defective device. To restore the factory default before returning, refer to: How to Factory Reset a Palo Alto Networks Device or if running PAN-OS 6.0 and later, review How to SSH into Maintenance Mode because the SSH to maintenance mode is possible. Customers whose support subscription includes advance replacement of a failed firewall must return the defective unit to Palo Alto Networks after receiving the replacement.United States Customers - A return shipping label will be in the carton with the replacement. Affix the label to the carton to return the defective unit.International Customers - Refer to return instructions and documents in the replacement shipping carton.