topic Re: RMA replacement in General Topics

RMA replacement

Momoj — Mon, 19 Dec 2022 09:14:38 GMT

Hi All,

We will doing a RMA replacement for PA-3220. The faulty unit is cannot access anymore from GUI or CLI and it's managed from Panorama. We only have the backup configuration and not the device state. So, what we should?

1)Do we replace the fault unit with the new one, configure the HA with the active unit and replace the S/N in the firewall? It is possible the active unit to sync the device state to the new spare unit?

Thanks.

Re: RMA replacement

Raido_Rattameister — Mon, 19 Dec 2022 14:39:48 GMT

Configuration backup has all local information needed like mgmt interface IP, HA settings etc so you don't need device state.

After physical replacement replace serial number in Panorama and commit from Panorama to firewall.

If firewalls show "out of sync" in HA dashboard then click "sync to peer" from surviving HA member (and not from RMA device).

Re: RMA replacement

Momoj — Mon, 19 Dec 2022 17:27:18 GMT

Alright. I understand. So we need to load backup config first? After that, we do the physical replacement, serial number in Panorama and commit from Panorama to firewall. But when we try to load backup into RMA device, it have commit error and when we try to resolve it, it will have another error.

is it possible if we change the management IP and configure HA with the active unit? and then, we change the serial number in Panorama and commit from Panorama to firewall.

Re: RMA replacement

Raido_Rattameister — Mon, 19 Dec 2022 17:36:27 GMT

What error do you get? Is it missing some settings that were pushed from Panorama?

If this is the case then try following:

Import backup config into RMA firewall.

Change RMA mgmt to use temporary unique IP.
Configure networking so that this temporary IP can reach Panorama.

Add new RMA fw serial into "Panorama > Managed Devices > Summary" as new firewall.

Add RMA fw to same template group and Device group as old firewall.

Push and commit to RMA fw from Panorama to merge imported backup with config settings pushed from Panorama.

If this works then you can remove old fw from device group and template group.

Change RMA mgmt IP to match old firewall.

Perform physical install.
Sync config from surviving fw to RMA fw on HA dashboard.

Re: RMA replacement

Raido_Rattameister — Mon, 19 Dec 2022 17:38:31 GMT

Actually temporary unique IP is not needed as I assume old dead firewall is not connected to network any more.

Re: RMA replacement

Momoj — Mon, 19 Dec 2022 19:09:53 GMT

Yeah, the old firewall is not connected to the network. So, we just replace the old serial number to new serial number?

Re: RMA replacement

Raido_Rattameister — Mon, 19 Dec 2022 19:11:32 GMT

In this case yes as simple step try to replace serial number and commit from Panorama to RMA fw.

Re: RMA replacement

Momoj — Mon, 19 Dec 2022 19:34:50 GMT

Alright, thank you. we managed to change S/N to a new one but it seems like the RMA device in the panorama is disconnected.

Re: RMA replacement

Raido_Rattameister — Mon, 19 Dec 2022 19:43:50 GMT

RMA firewall has Panorama configuration under Device > Setup > Management > Panama settings?

What ms logs shows on RMA firewall?

less mp-log ms.log

Or view new logs as they appear

tail follow yes mp-log ms.log

Re: RMA replacement

PavelK — Mon, 19 Dec 2022 22:06:16 GMT

Hello @Momoj

in addition to going through logs mentioned by Raido, if you are running PAN-OS 10.1.3 and higher, you will have to import authentication key to Firewall to allow communication with Panorama: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-managed-device

Kind Regards

Pavel

Re: RMA replacement

Momoj — Wed, 21 Dec 2022 01:49:42 GMT

Hi all,

Sorry for my late reply and thanks for all helps. It seems like we managed to connect from RMA firewall to Panorama. But when we want try to push the config file from panorama to firewall, it still have some error same as when we try to do backup config directly to firewall.

Re: RMA replacement

Raido_Rattameister — Wed, 21 Dec 2022 03:41:44 GMT

What error do you get?

Does checking "Force Template Values" when committing from Panorama to RMA fix the issue?

Re: RMA replacement

RREALICA — Thu, 22 Dec 2022 15:08:14 GMT

Just noticed this post - we are going through a similar ordeal and wondering if you have completed the restore process.

this is our experience/problems so far:

https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/td-p/524841

thanks.

Re: RMA replacement

Momoj — Fri, 23 Dec 2022 01:59:56 GMT

Yes, we are able to push the config by clicking the force template value. For somehow, there is a configuration error in the template that cause GUI for RMA unit cannot be access. We already log the ticket to RMA for this issue.

Thanks all for your help.