How to Configure an RMA Replacement Firewall

Overview

• If you are replacing a device in HA, you can use the following How to Configure a High Availability Replacement Device
• If the device being replaced is part of an SD-WAN deployment Refer Replace Device with SDWAN deployment

Steps

• Register the new firewall and transfer licenses:
  Upon receipt, register the new device and transfer licenses from the old unit. After Palo Alto Networks receives the failed device, the old licensing is stripped, so it is important to transfer the licenses immediately.
  To transfer the license, follow these instructions: How to Transfer Licenses to a Spare Device
  Note: When a license is transferred to the spare device, the original device still has a 30-day evaluation license.
• Configure the Management Interface.
  • Default Management Interface IP is 192.168.1.1 and default login/password is admin/admin.
  • Configure either NTP (Device > Setup > Services) or date and time (Device > Setup > Management > General Settings)
  • Configure the Management Interface to have internet access and a DNS server configured under Device > Setup > Services. This interface should be able to communicate with updates.paloaltonetworks.com.
  • Alternatively, configure a service route to enable a Layer 3 interface with internet access for management. The appropriate interfaces, routing, and policies must be configured on the device. Go to Device > Setup > Service Route Configuration and choose the appropriate interface IP address for paloalto-updates and dns.  An example is provided below:

    

    Note:  Refer to How to Configure the Management Interface IP to set up the IP address for the management interface.

• • Retrieve licenses previously transferred to the device. Go to Device > Licenses > Retrieve license keys from license server. The licenses for each feature display on the same page. Be sure to have a URL filtering license, that URL filtering is activated, and that the database has been successfully downloaded. If a link "Download Now" is displayed, the database is not downloaded. A successfully activated and downloaded PAN-DB URL filtering database looks like this:

• The device is now ready to be upgraded, if needed. Download and install the available Apps or Apps+Threats package from Device > Dynamic Updates > Applications and Threats > Check Now. The device lists available packages to download and install.
• To update the PAN-OS, go to Device > Software > Refresh.

  Additional information about PAN-OS upgrades: How to Upgrade PAN-OS and Panorama

• Enable multi-vsys or jumbo-frames same as old firewall if applicable:

       > set system setting multi-vsys on 
      > set system setting jumbo-frame on
• To load a previously backed up configuration on the replacement device, follow the below use cases:
  • NOTE: Prior to restoring the config, if the Master Key has been changed, add the changed Master Key to the firewall. Otherwise you will not be able to commit the config to the firewall.

• Case 1: Old device is still connected to the network and firewall was not managed from panorama:
  • Assuming that only the management network on the new firewall has been connected.
  • On the old device, save Device > Setup > Save Named Configuration Snapshot and then export Device > Setup > Export Named Configuration Snapshot.
  • On the new device go to Device > Setup > Import Named Configuration Snapshot to import the backed up configuration onto the device. 
  • Once the configuration is imported, load the imported configuration, go to Device > Setup > Load Named Configuration Snapshot.
  • Change the management IP and hostname so that it does not create a conflict with the existing device if connected to the same management network. Later on, this can be changed back if required.
  • Resolve any commit errors and commit the configuration.
  • Remove the old device, move the network cables to the new device.

• Case 2: Old device is still connected to the network and firewall is managed from panorama:
  • Assuming only management of the new device is connected, go to old device and export device state: Device > Setup > Export Device State.
  • Go to the new device: Device > Setup > Import Device State to import the backed-up device state onto the device. Once you do this, the firewall will get exact same settings as old device (Same IP and hostname as well). No need to load any configuration.
  • At this point, you can remove the old firewall.
  • On Panorama CLI, replace the old serial number with a new serial number: replace device old <old SN#> new <new SN#> and commit local and push commit to firewall also to bring in sync.

• Case 3: Old device is no more available to take a backup and the firewall was not managed from Panorama
  • When you no longer have access to the machine, you will need to look for the config in any place you can think of. This includes looking for tech support files that are backed up somewhere in old support cases or in your environment, where may be saved. ALWAYS REMEMBER TO BACKUP YOUR CONFIG.
  • Look for old tech support from an old firewall. You can get the configuration from /opt/pancfg/mgmt/saved-config/running-config.xml
  • If no previous tech supports are available, then we maybe able to use maintenance mode on the firewall to backup the old config: How to Retrieve the Palo Alto Networks Firewall Configuration in Maintenance Mode
  • Once the Tech Support file is found, take the running-config.xml file and import it into the new firewall. Device > Setup > Import Named Configuration Snapshot. Commit and make sure the device is up and running.

• Case 4: Old device is no longer available to take a backup and the firewall is managed from Panorama. 
  • Follow the steps to Replace an RMA Firewall from the Panorama Administrator's Guide:
    • Go to the Panorama CLI and export the device state bundle from the old firewall to a computer using Secure Copy (SCP) or TFTP. The export command generates the device state bundle as a tar zipped file and exports it to the specified location. This device state will not include the LSVPN dynamic configuration (satellite information and certificate details):
      > scp export device-state device <old serial#> to <login>@<serverIP>:<path>
      or
      > tftp export device-state device <old serial#> to <serverIP>
    • Replace the serial number of the old firewall with that of the new replacement firewall on Panorama. By replacing the serial number on Panorama you allow the new firewall to connect to Panorama after you restore the configuration on the firewall:
      > replace device old <old SN#> new <new SN#>
      > configure
      # commit
    • Login to the firewall web interface. Select Device > Setup > Operations and click Import Device State.
    • (PAN-OS 10.1+ Only): Select Device > Setup > Management and edit the Panorama Settings. Enter the Auth Key created on Panorama (Panorama > Device Registration Auth Key). Commit your changes to the firewall. If the firewall does not reconnect to Panorama, you may need to Recover Managed Device Connectivity to Panorama

• Case 5: Old device is no more available to take a backup from and the firewall is managed using Panorama, but the firewall communicates with panorama using a data plane port requiring the firewall to have the complete configuration to be able and communicate with it.
  • The full configuration includes the Centralized configuration that Panorama manages and the Local configuration of the firewall.
  • The device states of these firewalls can be generated and exported from the managing Panorama.
  • Panorama can generate the device state based on the last committed local config plus the Panorama config.
  • Refer to this article How to Export Device State of Managed Firewalls from Panorama
  • By replacing the serial number and importing the firewall state, we can resume using Panorama to manage the firewall.
  • From Panorama CLI use the command: tftp export device-state device <serial number> to <server-ip> or scp export device-state device <serial number> to pantac@<scp-server-ip>:/home/
  • Next, using the device state import it into the New device and get it up to restore the communication with Panorama.
  • On Panorama replace the old S/N with new S/N: replace device old <old SN#> new >new SN#> and commit local.
  • The Panorama should now show as "connected" for the new device. Panorama > Managed Devices > Summary
  • From Panorama now push a DG and Template commit to the new firewall. This commit should merge the candidate and pushed the config from Panorama. 
  • If no commit errors, the device should be up and running.

• If you are using any NAT IPs for source and destination NAT which are in the same subnet as NAT interface (except the IP of the interface itself), you will need to do a manual Gratuitous ARP from the firewall to update the peer's ARP table. For example, your interface IP is 198.51.100.1/24, and you are using 198.51.100.2 for NAT, you need to send GARP for 198.51.100.2.

      > test arp gratuitous ip <ip> interface <interface>
   
• Return the defective device. To restore the factory default before returning, refer to How to Factory Reset a Palo Alto Networks Device or if running PAN-OS 6.0 and later, review How to SSH into Maintenance Mode because the SSH to maintenance mode is possible. Customers whose support subscription includes advance replacement of a failed firewall must return the defective unit to Palo Alto Networks after receiving the replacement.
  United States Customers - A return shipping label will be in the carton with the replacement. Affix the label to the carton to return the defective unit. 
  International Customers - Refer to return instructions and documents in the replacement shipping carton.