How to replace an SMC module in a 7000 series chassis

• To be able to replace a failed SMC in a 7000 series chassis.
• Although this is a line card replacement, the SMC runs the management functionality of the chassis so the procedure is similar to replacing a chassis based firewall.

• PA-7050 or PA-7080 firewalls in Active/Passive high availability.
• Faulty SMC which needs to be replaced.

NOTE: It is recommended to perform the activities below during a maintenance window. 

The procedure will vary depending on whether the firewall with the faulty SMC is accessible or not.

1. Export the device state from the firewall with the faulty SMC. This will include both the local config and Panorama pushed config.
2. Make a note of the session distribution policy, multi-vsys, and jumbo frames settings as the replacement will have the default setting.

> show session distribution policy
> show system setting jumbo-frame
> show system setting multi-vsys

3. Disable config sync from both the HA peers to stop any changes being synched.
4. To minimize risk of impact to production, unplug all the network interfaces from passive NPCs so no traffic can pass through this unit in case it becomes active. 
5. Disconnect the HA cables between the peers. 
6. Shutdown the whole chassis and replace the SMC with new SMC. 
   • Replace a PA-7000 Series Switch Management Card (SMC)
7. Power on the Firewall and then connect the management interface. Wait until the auto commit succeeds and then configure management interface and commit the changes. 

> set deviceconfig system ip-address <x.x.x.x> netmask <x.x.x.x> default-gateway <x.x.x.x>

8. Access the firewall Web UI to load the licenses, install content and upgrade PAN-OS to match the peer device. 
   • For further information see HOW TO CONFIGURE AN RMA REPLACEMENT FIREWALL
9. Import the device state (which was exported in step 1) and commit the changes. 
10. Once the commit succeeds, make sure the firewall has all the configuration as expected. 
11. Once imported, check Panorama to ensure the firewall is connected and that the device group and template are in sync. If not, do a push to the firewall.
12. Check the session distribution policy, multi-vsys, and jumbo frames settings to make sure it matches what was configured on the previous SMC. If necessary, reconfigure them to match.

> show session distribution policy
> show system setting jumbo-frame
> show system setting multi-vsys

> set session distribution policy [fixed | hash | ingress-slot | random | round-robin | session-load | symmetric-hash]
> set system setting multi-vsys [on | off]
> set system setting jumbo-frame [on | off] (reboot required to take effect)

13. Under Device -> High Availability -> Operational Commands; Suspend the local device. This will ensure the device with the replaced SMC will not attempt to remain as the active member once the HA2 connections are brought online.
14. Reconnect the HA cables and confirm HA between the devices is up and working.
15. Reconnect the NPC cables.
16. Perform the final checks to make sure the firewalls are back to a normal operational state.
17. Under Device -> High Availability -> Operational Commands; Make local device functional. If required also perform a failover to the firewall which has had the SMC replaced and perform production traffic checks.

If the firewall with the failed SMC is not accessible due to the failed SMC:

1. Have a backup config of the firewall ready to upload once the SMC has been replaced. If managed by Panorama you will also need to push the policy and templates once ready.
2. If the SMC being replaced was the active firewall and preempt is enabled, configure the current active firewall with a higher priority (lower value) so it will remain the active firewall.
3. Disable config sync on the current working firewall to stop any changes being synched.
4. To minimize risk of impact to production, unplug all the network interfaces from passive NPCs so no traffic can pass through this unit in case it becomes active. 
5. Disconnect the HA cables between the peers. 
6. Shutdown the whole chassis and replace the SMC with new SMC.  Replace a PA-7000 Series Switch Management Card (SMC)
7. Power on the Firewall and then connect the management interface. Wait until the auto commit succeeds and then configure management interface and commit the changes.

> set deviceconfig system ip-address <x.x.x.x> netmask <x.x.x.x> default-gateway <x.x.x.x>

8. Access the firewall Web UI and add the Panorama server/s. Commit the changes.
9. Load the licenses, install content and upgrade PAN-OS to match the peer device. 
   • For further information see HOW TO CONFIGURE AN RMA REPLACEMENT FIREWALL
10. Import the local configuration from backup but do NOT commit the changes. 
11. From Panorama push the device group and the template to the firewall with the new SMC ensuring "force template values" is NOT checked and "merge with candidate config" is checked. This will merge the local config previously loaded on the firewall with the Panorama pushed config.
12. Once the commit succeeds, make sure the firewall has all the configuration as expected. 
13. Check the session distribution policy, multi-vsys, and jumbo frames settings to make sure it matches what is configured on the peer device.

> show session distribution policy
> show system setting jumbo-frame
> show system setting multi-vsys

> set session distribution policy [fixed | hash | ingress-slot | random | round-robin | session-load | symmetric-hash]
> set system setting multi-vsys [on | off]
> set system setting jumbo-frame [on | off] (reboot required to take effect)

14. Under Device -> High Availability -> Operational Commands; Suspend the local device. This will ensure the device with the replaced SMC will not attempt to remain as the active member once the HA2 connections are brought online.
15. Reconnect the HA cables and confirm HA between the devices is up and working.
16. Reconnect the NPC cables.
17. Perform the final checks to make sure the firewalls are back to a normal operational state.
18. Under Device -> High Availability -> Operational Commands; Make local device functional. If required also perform a failover to the firewall which has had the SMC replaced and perform production traffic checks.

Please note: As Panorama uses the chassis serial number, no updates are required on Panorama for an SMC swap.