On-Site-Spare (OSS) Maintenance and Use

On-Site-Spare (OSS) Maintenance and Use

43535
Created On 09/26/18 13:51 PM - Last Modified 12/15/21 00:50 AM


Symptom

Overview

This document describes how to maintain and use an On-Site-Spare (OSS) device.



Environment

Details

Backing up the production configuration

Regularly export/backup the existing configuration from the production unit. This can be done either the web UI or from a terminal software using scp or tftp.



Resolution

From the web UI:

  • Device > Setup > Operations > Export named configuration snapshot > running-config.xml

From terminal software and SCP or TFTP server:

Note: The terminal software method can be scripted and run by a scheduled task.

 

Maintaining the OSS device

The following steps will keep the OSS on the same PAN-OS release as the production device. Perform these steps each time the production device is upgraded.
 

  1. Download the current Apps Only database from here: https://support.paloaltonetworks.com/ and open Dynamic Updates from the Tools Menu.
  2. Upload the Apps Only database to the device an install
  3. Download the appropriate PAN-OS from here: https://support.paloaltonetworks.com/ and open Software Updates from the Tools Menu
  4. Upload the downloaded PAN-OS to the device and install

 

Bringing the OSS device into production

The following steps will configure the OSS device to be identical to the original production device. The device should be managed from the IP address of the original production device.

  1. Have the device mounted and configured with
    • An IP on the management port,
    • Trust and untrust interfaces
    • Rule that allows all traffic from trust to untrust
    • Necessary NAT rule
  2. Plug the cables from the previous production device into the OSS
  3. Transfer the licenses to the OSS (How to Transfer Licenses to a Spare Device)
  4. Download the licenses to the device:
    • Device > Licenses > Retrieve license keys from license server
  5. Download and install the latest Applications and Threat database (Threat license is required, otherwise use Apps Only database):
    • Device > Dynamic Updates (may have to click "Check Now")
  6. Download and install the latest Antivirus (Threat license is required):
    • Device > Dynamic Updates (may have to click "Check Now")
  7. Download and install the latest URL filtering database (License is required).
    • Brightcloud: Device > Dynamic Updates.
    • PAN-DB: Device > Licenses > Re-Download under PAN-DB URL Filtering license.
  8. Import config from previous production device:
    • Device > Setup > Operations > Import named configuration snapshot.
      Important: The named configuration snapshot should not be named "running-config.xml", as this will cause a conflict on the device and may require a reset to factory default settings.
  9. Load the imported configuration snapshot:
    • Device > Setup > Operations > Load named configuration snapshot
  10. Commit

 

 

 

owner: esilha



Additional Information

See Also

On-Site Spares (OSS) FAQs

How to Transfer Licenses to a Spare Device



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltxCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language