This document describes how to set up a replacement, from an RMA device, as a High Availability (HA) peer.
Gather backup configuration
Take a backup configuration of the faulty device:
Go to Device > Setup > Operations > Configuration Management and click "Export device state." The device state contains the configuration for the device.
Note: To take a backup of a device from Panorama, go to Panorama > Managed Devices and click "Manage…" under the backups column for the appropriate device, OR you can export the device state bundle to a computer using SCP or TFTP from CLI > scp export device-state device to username@serverip:/path/
For PA-7000 series devices, note the output of the following command
> show session distribution policy
For all platforms, not the output of the following command
> show system setting jumbo-frame
Shut down the faulty unit using the command: > request shutdown system
Rack the new unit and connect to the unit's Management Interface.
(Optional) Set the operational mode to match that on the old firewall. A serial port connection is required for this task.
Enter the following CLI command to access maintenance mode on the firewall: > debug system maintenance-mode
To boot into the maintenance partition, enter maint during the boot sequence.
Select the operational mode as "Set FIPS Mode or Set CCEAL 4 Mode"from the main menu.
(Optional) Set the system settings to match the output from the commands in steps (2) and (3) in the previous section.
Configure Management Access to the replacement device
Access the console and log in using the default credentials:
Configure the management IP address, netmask, and gateway, as well the DNS and update servers using the following CLI command: > configure # set deviceconfig system ip-address <value> netmask <value> default-gateway <value> # set deviceconfig system dns-setting servers primary 126.96.36.199 # set deviceconfig system update-server updates.paloaltonetworks.com # commit # exit
Ping a domain to test, for example: > ping host paloaltonetworks.com
Obtain licenses from the license server.
Go to Device > Licenses.
Click Retrieve license keys from license server.
Make sure to have a URL filtering license and that the URL filtering is both activated and that the database has been successfully downloaded. Note: If a link "Download Now" is displayed the database has not. downloaded.
Install the same GlobalProtect Client and PAN-OS versions on the replacement device as the existing HA Peer
Install the GlobalProtect Client.
Go to Device > GlobalProtect Client
Download and active the appropriate version of the client.
Go to Device > Software.
Download and install the appropriate image.
Make sure dynamic updates have the same version as the HA peer. If not, then download and install the appropriate version: Device > Dynamic Update > Download > Install.
If the device is being managed from Panorama, replace the old serial number with the new one: > replace device old <Old Serial #> new <New Serial #>
Restore the configuration
For multi-vsys enabled systems, first enable multi vsys capability : > set system setting multi-vsys on
(Optional) Enable jumbo frames and session distribution policy to match the old device. > set system setting jumbo-frame on (reboot required to take effect) > set session distribution policy [ fixed | hash | ingress-slot | random| round-robing | session-load ]
Go to Device > Setup > Operations.
Click "Import device state" and import the previously backed up configuration from the faulty device.
Commit once the import of the device state is complete.
Ensure the new device stays in a passive state to prevent the configuration being pushed to the active device.
Suspend the new unit from the CLI run the command: > request high-availability state suspend or
From the GUI go to Device > High Availability > Operations > Suspend local device. or
Perform the config change:
Go to Device > High Availability > General > Setup and uncheck the Enable Config Sync option.
Disable "Preemptive" under Election Settings.
Configure device with the highest Device Priority value (255).
Make sure the replacement device has the same configuration as the active device.
Go to the Dashboard tab and check the High Availability widget. Note: If the High Availability widget is not displayed, then click Widgets > System > High Availability.
If the configurations are not the same, go to Device > High Availability and click "Push configuration to peer" from the active device.
Log into the Active unit. Go to Device > Config Audit > Do config audit between "Running Config" and "Peers Running Config." Make sure both are the same. If the case of any differences, try to manually configure the passive unit.
"Config Difference" can occur if a configuration backup was not taken for the faulty device, so the new device won't have the same configuration as the active unit. In this case, manual configuration is required.
Enable config sync (Device > High Availability > General > Setup) and preemptive (Device > High Availability > General > Election Settings) on the replacement device.
Commit the changes.
After the commit, connect the remaining cables to the new device.