On-Site-Spare (OSS) Maintenance and Use

On-Site-Spare (OSS) Maintenance and Use

Created On 09/26/18 13:51 PM - Last Modified 12/15/21 00:50 AM



This document describes how to maintain and use an On-Site-Spare (OSS) device.



Backing up the production configuration

Regularly export/backup the existing configuration from the production unit. This can be done either the web UI or from a terminal software using scp or tftp.


From the web UI:

  • Device > Setup > Operations > Export named configuration snapshot > running-config.xml

From terminal software and SCP or TFTP server:

Note: The terminal software method can be scripted and run by a scheduled task.


Maintaining the OSS device

The following steps will keep the OSS on the same PAN-OS release as the production device. Perform these steps each time the production device is upgraded.

  1. Download the current Apps Only database from here: https://support.paloaltonetworks.com/ and open Dynamic Updates from the Tools Menu.
  2. Upload the Apps Only database to the device an install
  3. Download the appropriate PAN-OS from here: https://support.paloaltonetworks.com/ and open Software Updates from the Tools Menu
  4. Upload the downloaded PAN-OS to the device and install


Bringing the OSS device into production

The following steps will configure the OSS device to be identical to the original production device. The device should be managed from the IP address of the original production device.

  1. Have the device mounted and configured with
    • An IP on the management port,
    • Trust and untrust interfaces
    • Rule that allows all traffic from trust to untrust
    • Necessary NAT rule
  2. Plug the cables from the previous production device into the OSS
  3. Transfer the licenses to the OSS (How to Transfer Licenses to a Spare Device)
  4. Download the licenses to the device:
    • Device > Licenses > Retrieve license keys from license server
  5. Download and install the latest Applications and Threat database (Threat license is required, otherwise use Apps Only database):
    • Device > Dynamic Updates (may have to click "Check Now")
  6. Download and install the latest Antivirus (Threat license is required):
    • Device > Dynamic Updates (may have to click "Check Now")
  7. Download and install the latest URL filtering database (License is required).
    • Brightcloud: Device > Dynamic Updates.
    • PAN-DB: Device > Licenses > Re-Download under PAN-DB URL Filtering license.
  8. Import config from previous production device:
    • Device > Setup > Operations > Import named configuration snapshot.
      Important: The named configuration snapshot should not be named "running-config.xml", as this will cause a conflict on the device and may require a reset to factory default settings.
  9. Load the imported configuration snapshot:
    • Device > Setup > Operations > Load named configuration snapshot
  10. Commit




owner: esilha

Additional Information

See Also

On-Site Spares (OSS) FAQs

How to Transfer Licenses to a Spare Device

  • Print
  • Copy Link


Choose Language