How to Replace a Hard Disk Drive on a Palo Alto Networks PA-2000 Series Firewall

Printer Friendly Page

Overview

This document describes how to install an RMA replacement hard disk drive on a PA-2000 Series firewall.

 

Prerequisites

The recommended best practice is to back up and export the running configuration, certificates, keys, and tech support file. This is only when the firewall is still up or degraded due to an HDD error (for example, "Drive error detected").

  1. Go to Device > Setup > Operations > Saved named configuration snapshot.
  2. Go to Device > Setup > Operations > Export named configuration snapshot.
  3. Go to Device > Support > Generate Tech Support File.
  4. Go to Device > Support > Download Tech Support File.
  5. Go to Device > Certificates > [Select Certificates to Export] > Export (use PKCS12 so exported certificates will include private Keys).

 

Note: If the Palo Alto Networks firewall to receive the replacement disk drive is a passive device in an HA Pair, the prerequisites above are not required since the running configuration, certificates and keys can be synchronized from the active device provided that HA enable config sync is enabled. Highly recommended to perform the prerequisites for backup purposes.

For active/active setup, perform the prerequisites since device-specific configurations are not synchronized to the peer device.

 

Steps

  1. Schedule a maintenance window since the HDD is not hot-swappable.
  2. Power down the Secondary or Passive firewall and replace the old HDD with the new one.
  3. Power up the firewall. The firewall should boot up with the same PAN-OS as with the replaced disk drive. However, if this is not the case, then follow the steps below:
    • Configure the firewall for basic connectivity to network/internet to be able to fetch license.
    • Upgrade the firewall PAN-OS version to the old working one, if needed.
    • Download and install the latest dynamic updates.
    • Import and load the previous working configuration, certificates and keys (or for HA A/P, configure HA setup and synchronize configuration from the active device).
      1. Go to Device > Setup > Import named configuration snapshot.
      2. Perform Certificates and keys import if the step above did not imported the certificates and keys properly.
      3. Go to Device > Certificates > Import.
        Note: Use PKCS12 to make sure imported certificates include private keys. If keys are not required, import certificates using Base64 Encoded Certificate (PEM)
    • Commit.

 

owner: jlunario

Comments

some additional information:

- Download the software version(s) of your PA from PAN before the replacement. HDD was shipped with version 5.0 and I had to upgrade first to the latest 6.0 version before I could import the backup

- Download your license keys from PAN. You have to upload/activated manually the license keys on the new HDD before you can enroll the backup procedure.

- Download the latest dynamic updates from PAN and install it manually on the new HDD before resume.

- If you are using panorama for this device its better to export and import the device state. It includes the templates and device of local PA and panorama config.