How to Configure a High Availability Replacement Device

Printer Friendly Page


This document describes how to set up a replacement, from an RMA device, as a High Availability (HA) peer.



Gather backup configuration

Take a backup configuration of the faulty device:

  1. Go to Device > Setup > Operations > Configuration Management and click "Export device state." The device state contains the configuration for the device.

    Note: To take a backup of a device from Panorama, go to Panorama > Managed Devices and click "Manage…" under the backups column for the appropriate device, OR you can export the device state bundle to a computer using SCP or TFTP from CLI
    > scp export device-state device to username@serverip:/path/

  2. For PA-7000 series devices, note the output of the following command 

    > show session distribution policy

  3. For all platforms, not the output of the following command

    > show system setting jumbo-frame

  4. Shut down the faulty unit using the command:
    > request shutdown system
  5. Rack the new unit and connect to the unit's Management Interface.


Set up basic configuration on the new device

  1. Transfer Licenses. Refer to the following document: How to Transfer Licenses to a Spare Device
  2. (Optional) Set the operational mode to match that on the old firewall. A serial port connection is required for this task.
    1. Enter the following CLI command to access maintenance mode on the firewall:
      > debug system maintenance-mode
    2. To boot into the maintenance partition, enter maint during the boot sequence.
    3. Select the operational mode as "Set FIPS Mode or Set CCEAL 4 Mode" from the main menu.
  3. (Optional) Set the system settings to match the output from the commands in steps (2) and (3) in the previous section.
  4. Configure Management Access to the replacement device
    1. Access the console and log in using the default credentials:
      • Username: admin
      • Password: admin
    2. Configure the management IP address, netmask, and gateway, as well the DNS and update servers using the following CLI command:
      > configure
      # set deviceconfig system ip-address <value> netmask <value> default-gateway <value>
      # set deviceconfig system dns-setting servers primary

      # set deviceconfig system update-server
      # commit
      # exit
    3. Ping a domain to test, for example:
      > ping host
  5. Obtain licenses from the license server.
    • Go to Device > Licenses.
    • Click Retrieve license keys from license server.
    • Make sure to have a URL filtering license and that the URL filtering is both activated and that the database has been successfully downloaded. Note: If a link "Download Now" is displayed the database has not. downloaded.
  6. Install the same GlobalProtect Client and PAN-OS versions on the replacement device as the existing HA Peer
    • Install the GlobalProtect Client.
      1. Go to Device > GlobalProtect Client
      2. Download and active the appropriate version of the client.
    • Install PAN-OS.
      1. Go to Device > Software.
      2. Download and install the appropriate image.
    • Reboot.
  7. Make sure dynamic updates have the same version as the HA peer. If not, then download and install the appropriate version:
    Device > Dynamic Update > Download > Install.
  8. If the device is being managed from Panorama, replace the old serial number with the new one:
    > replace device old <Old Serial #> new <New Serial #>


Restore the configuration


  1. For multi-vsys enabled systems, first enable multi vsys capability : > set system setting multi-vsys on 
  2. (Optional) Enable jumbo frames and session distribution policy to match the old device.
    > set system setting jumbo-frame on (reboot required to take effect)
    > set session distribution policy [ fixed | hash | ingress-slot | random| round-robing | session-load ]
  3. Go to Device > Setup > Operations.
  4. Click "Import device state" and import the previously backed up configuration from the faulty device.
  5. Commit once the import of the device state is complete.
  6. Ensure the new device stays in a passive state to prevent the configuration being pushed to the active device.
    • Suspend the new unit from the CLI run the command:
      > request high-availability state suspend
    • From the GUI go to Device > High Availability > Operations > Suspend local device.
    • Perform the config change:
        • Go to Device > High Availability > General > Setup and uncheck the Enable Config Sync option.
        • Disable "Preemptive" under Election Settings.
        • Configure device with the highest Device Priority value (255).
        • Perform a commit
          Note: The device will not become active with this configuration. Refer toHigh Availability Synchronization
  7. Make sure the replacement device has the same configuration as the active device.
    • Go to the Dashboard tab and check the High Availability widget.
      Note: If the High Availability widget is not displayed, then click Widgets > System > High Availability.
    • If the configurations are not the same, go to Device > High Availability and click "Push configuration to peer" from the active device.
  8.    Log into the Active unit. Go to Device > Config Audit > Do config audit between "Running Config" and "Peers Running Config." Make sure both are the same. If the case of any differences, try to manually configure the passive unit.

"Config Difference" can occur if a configuration backup was not taken for the faulty device, so the new device won't have the same configuration as the active unit. In this case, manual configuration is required.

  1. Enable config sync (Device > High Availability > General > Setup) and preemptive (Device > High Availability > General > Election Settings) on the replacement device.
  2. Commit the changes.


After the commit, connect the remaining cables to the new device.


owner: hshah


If step one cannot be done (in my case the faulty unit will not boot up, so there for I cannot backup the config) is it necessary to disable HA on the secondary device, backup the config from the secondary device, and restore that on the new primary device then setup HA again?

There are settings that are node specific you will need to edit in your scenario.  Your best bet is to perform the steps with a live session on Palo Alto support.  They will make sure you make the appropriate updates and preserve your existing system and traffic through the process.


I am waiting for RMA device that I need for replacing a failed one in active-passive HA and I am just wondering if the backup also includes the certificates, or, I need to export them and import on the new device.

Thank you

Secondary is dead so this is not helpful be nice to post the article for both scenarios.

There are some important steps missing, although they may be not applicable in many scenarios:


1. Set the device Master Key before importing the device state backup.

2. Export this device's HA key, import its partner's HA Key, and on the partner device, import this device's HA key. I did this after importing and committing the device state backup. I'm not sure if it can be done earlier.

 is there something special about using 255 where a device cannot become active or did the article just mean higher than the current active device.... just curious, is there any documentation that points towards an answer to this?


What about syste, state parameters copying? 

For example: cfg.general.max-arp