How to Configure a High Availability Replacement Device

How to Configure a High Availability Replacement Device

Created On 09/25/18 17:39 PM - Last Modified 07/12/24 09:38 AM


  • PAN-OS 8.0 and above.
  • Palo Alto Firewall.


Gather backup configuration:

Take a backup configuration of the faulty device:

  1. Go to  GUI: Device > Setup > Operations > Configuration Management and click "Export device state." The device state contains the configuration for the device.
  • To take a backup of a device from Panorama, go to GUI: Panorama > Managed Devices and click "Manage…" under the backups column for the appropriate device.
  •  OR you can export the device state bundle to a computer using SCP or TFTP from CLI
> scp export device-state device to username@serverip:/path/
  1. For PA-7000 series devices, note the output of the command 

    > show session distribution policy
  2. For all platforms, note the output of the following command
    > show system setting jumbo-frame
  3. Shut down the faulty unit using the command:
    > request shutdown system
  4. Rack the new unit and connect to the unit's Management Interface.


Set up the Basic configuration on the new device:

  1. Transfer Licenses. Refer to the following document: How to Transfer Licenses to a Spare Device
  2. (Optional) Set the operational mode to match that on the old firewall. A serial port connection is required for this task.
    1. Enter the following CLI command to access maintenance mode on the firewall:
debug system maintenance-mode
  1. To boot into the maintenance partition, enter maint during the boot sequence.
  2. Select the operational mode as "Set FIPS Mode or Set CCEAL 4 Mode" from the main menu.
  1. (Optional) Set the system settings to match the output from the commands in steps (2) and (3) in the previous section.
  2. Configure Management Access to the replacement device. Connect only Console and Management interface first.
    1. Access the console and login using the default credentials:
      • Username: admin
      • Password: admin (This may vary depending on the PAN-OS version. Refer documentation for the default password)
    2. Configure the management IP address, netmask, and gateway, as well the DNS and update servers using the following CLI command:
> configure
# set deviceconfig system ip-address <value> netmask <value> default-gateway <value>
# set deviceconfig system dns-setting servers primary
# set deviceconfig system update-server
# commit
# exit
  1. Ping a domain to test, for example:
> ping host
  1. Obtain licenses from the license server.
  • Go to GUI: Device > Licenses.
  • Click Retrieve license keys from the license server.
  • Make sure to have a URL filtering license and that the URL filtering is both activated and that the database has been successfully downloaded. Note: If a link "Download Now" is displayed the database has not. downloaded.
  1. Install the same GlobalProtect Client and PAN-OS versions on the replacement device as the existing HA Peer
  • Install the GlobalProtect Client.
    1. Go to Device > GlobalProtect Client
    2. Download and activate the appropriate version of the client.
  • Install PAN-OS.
    1. Go to Device > Software.
    2. Download and install the appropriate image.
  • Reboot.
  1. Make sure dynamic updates have the same version as the HA peer. If not, then download and install the appropriate version:
GUI:Device > Dynamic Update > Download > Install.
  1. If the device is being managed from Panorama, replace the old serial number with the new one and commit on the Panorama (After a successful commit, you may need to re-login to the Panorama to see the new serial associated with the correct DG and Template Stack):
> replace device old <Old Serial #> new <New Serial #>
> configure
# commit partial admin <admin_name>

Restore the configuration:

NOTE: Prior to restoring the config, if the Master Key has been changed, add the changed Master Key to the firewall. Otherwise you will not be able to commit the config to the firewall.


  1. For multi-vsys enabled systems, first enable multi vsys capability : 
> set system setting multi-vsys on

  1. (Optional) Enable jumbo frames and session distribution policy to match the old device.
> set system setting jumbo-frame on (reboot required to take effect)
> set session distribution policy [ fixed | hash | ingress-slot | random| round-robing | session-load ]
  1. Go to GUI:Device > Setup > Operations.
  2. Click "Import device state" and import the previously backed up configuration from the faulty device.
  3. Commit once the import of the device state is complete.
  4. Ensure the new device stays in a passive state to prevent the configuration from being pushed to the active device.
    • Suspend the new unit from the CLI run the command:
      > request high-availability state suspend
    • From the GUI go to GUI: Device > High Availability > Operations > Suspend local device.
    • Perform the config change:
Go to Device > High Availability > General > Setup and uncheck the Enable Config Sync option.
Disable "Preemptive" under Election Settings.
Configure the device with the highest Device Priority value (255).
Perform a commit
Note: The device will not become active with this configuration. Refer to High Availability Synchronization
  1. Connect HA1 Interfaces.
  2. Make sure the replacement device has the same configuration as the active device.
    • Go to the Dashboard tab and check the High Availability widget.
      Note: If the High Availability widget is not displayed, then click Widgets > System > High Availability.
    • If the configurations are not the same, go to Device > High Availability and click "Push configuration to peer" from the active device.
  3. Verify there are no active commit jobs running and the devices are in sync. Use the commands below
show jobs all
show high-availability all | match "Running Configuration"
  1. Verify there is no difference in idmgr between the devices.
debug device-server dump idmgr high-availability state
  1. Log into the Active unit. Go to Device > Config Audit > Do config audit between "Running Config" and "Peers Running Config." Make sure both are the same. If the case of any differences, try to manually configure the passive unit.

"Config Difference" can occur if a configuration backup was not taken for the faulty device, so the new device won't have the same configuration as the active unit. In this case, manual configuration is required.

  • Enable config sync (Device > High Availability > General > Setup) and preemptive (Device > High Availability > General > Election Settings) on the replacement device.
  • Commit the changes.
  1. Connect the HA2 interface and wait for the session synchronization to be completed.
  2. If the Firewall is suspended during step 6, make it functional now.
  3. Connect the other dataplane interfaces now.
The replacement procedure is now complete.

Please note that these instructions should be followed if the firewall is an SD-WAN device. 

  • Print
  • Copy Link

Choose Language