On-Site-Spare (OSS) Maintenance and Use

56459

Created On 09/26/18 13:51 PM - Last Modified 06/15/23 22:46 PM

Content Release

Deployment

Hardware

Customer Support Portal (CSP)

Symptom

Overview

This document describes how to maintain and use an On-Site-Spare (OSS) device.

Environment

Details

Backing up the production configuration

Regularly export/backup the existing configuration from the production unit. This can be done either the web UI or from a terminal software using scp or tftp.

Resolution

From the web UI:

Device > Setup > Operations > Export named configuration snapshot > running-config.xml

From terminal software and SCP or TFTP server:

The following documents describe how to perform the backup using SCP:
- How to Save an Entire Configuration for Import into Another Palo Alto Networks Device
- How to Import/Export Running Configuration Using Secure File Copy (SCP)
For TFTP, run the following command:
> tftp export configuration from running-config.xml to <IP-ADDRESS>

Note: The terminal software method can be scripted and run by a scheduled task.

Maintaining the OSS device

The following steps will keep the OSS on the same PAN-OS release as the production device. Perform these steps each time the production device is upgraded.

Download the current Apps Only database from here: https://support.paloaltonetworks.com/ and open Dynamic Updates from the Tools Menu.
Upload the Apps Only database to the device an install
Download the appropriate PAN-OS from here: https://support.paloaltonetworks.com/ and open Software Updates from the Tools Menu
Upload the downloaded PAN-OS to the device and install

Bringing the OSS device into production

The following steps will configure the OSS device to be identical to the original production device. The device should be managed from the IP address of the original production device.

Have the device mounted and configured with
- An IP on the management port,
- Trust and untrust interfaces
- Rule that allows all traffic from trust to untrust
- Necessary NAT rule
Plug the cables from the previous production device into the OSS
Transfer the licenses to the OSS (How to Transfer Licenses to a Spare Device)
Download the licenses to the device:
- Device > Licenses > Retrieve license keys from license server
Download and install the latest Applications and Threat database (Threat license is required, otherwise use Apps Only database):
- Device > Dynamic Updates (may have to click "Check Now")
Download and install the latest Antivirus (Threat license is required):
- Device > Dynamic Updates (may have to click "Check Now")
Download and install the latest URL filtering database (License is required).
- Brightcloud: Device > Dynamic Updates.
- PAN-DB: Device > Licenses > Re-Download under PAN-DB URL Filtering license.
Import config from previous production device:
- Device > Setup > Operations > Import named configuration snapshot.
  Important: The named configuration snapshot should not be named "running-config.xml", as this will cause a conflict on the device and may require a reset to factory default settings.
Load the imported configuration snapshot:
- Device > Setup > Operations > Load named configuration snapshot
Commit

owner: esilha