This document describes how to install an RMA replacement hard disk drive on a PA-2000 Series firewall.
The recommended best practice is to back up and export the running configuration, certificates, keys, and tech support file. This is only when the firewall is still up or degraded due to an HDD error (for example, "Drive error detected").
Go to Device > Setup > Operations > Saved named configuration snapshot.
Go to Device > Setup > Operations > Export named configuration snapshot.
Go to Device > Support > Generate Tech Support File.
Go to Device > Support > Download Tech Support File.
Go to Device > Certificates > [Select Certificates to Export] > Export (use PKCS12 so exported certificates will include private Keys).
Note: If the Palo Alto Networks firewall to receive the replacement disk drive is a passive device in an HA Pair, the prerequisites above are not required since the running configuration, certificates and keys can be synchronized from the active device provided that HA enable config sync is enabled. Highly recommended to perform the prerequisites for backup purposes.
For active/active setup, perform the prerequisites since device-specific configurations are not synchronized to the peer device.
Schedule a maintenance window since the HDD is not hot-swappable.
Power down the Secondary or Passive firewall and replace the old HDD with the new one.
Power up the firewall. The firewall should boot up with the same PAN-OS as with the replaced disk drive. However, if this is not the case, then follow the steps below:
Configure the firewall for basic connectivity to network/internet to be able to fetch license.
Upgrade the firewall PAN-OS version to the old working one, if needed.
Download and install the latest dynamic updates.
Import and load the previous working configuration, certificates and keys (or for HA A/P, configure HA setup and synchronize configuration from the active device).
Go to Device > Setup > Import named configuration snapshot.
Perform Certificates and keys import if the step above did not imported the certificates and keys properly.
Go to Device > Certificates > Import. Note: Use PKCS12 to make sure imported certificates include private keys. If keys are not required, import certificates using Base64 Encoded Certificate (PEM)