Replace a device (s/n) in Panorama Policy with an RMA s/n

Reply
Highlighted
L3 Networker

Replace a device (s/n) in Panorama Policy with an RMA s/n

Hello -

Wondering if anyone has come across this issue.  We recently had to RMA one of our firewalls and we have a fairly extensive / complicated policy set in Panorama which consists of the following:

Shared Pre Rules targeted to specific firewalls

     Device Group Pre rules targeted to specific firewalls

     Device Group Post rules targeted to specific firewalls

Shared Post Rules targeted to specific firewalls

This being said, it presented a major headache in doing the RMA because the firewall that was removed and consequently replaced had to be manually removed from the rules - one by one - and then the new one added in the same process.  This RMA took approximately 3 hours to complete which seems really excessive.


So, I am wondering if anyone has come up with a way via CLI or other to handle this replacement in an "automated" fashion?  It behooves me that PA doesn't have native support for this type of thing.


Thanks!!

Palo Alto Networks Guru

Re: Replace a device (s/n) in Panorama Policy with an RMA s/n

There is a CLI command in Panorama called: "replace" that will achieve your goal.  This was introduced in Panorama 5.1.

Syntax:

replace device old <value> new <value>

L3 Networker

Re: Replace a device (s/n) in Panorama Policy with an RMA s/n

I am surprised that the TAC Engineer that we were working with did not inform us of this...I even asked specifically.

L7 Applicator

Re: Replace a device (s/n) in Panorama Policy with an RMA s/n

I'm surprised too.  The procedure for RMA replacement is long and reasonably complicated.  But it is very well documented.  See pages 176 and following in the Panorama admin guide.  I've had to do this a few times over the years.

Panorama Administrator's Guide 6.0 (English)

The replace portion is specifically on page 179.

Tasks on the Panorama CLI

You cannot perform these tasks on the Panorama web interface.

Step 6

Replace the serial number of the old device with that of the new replacement device on Panorama.

By replacing the serial number on Panorama you allow the new device to connect to Panorama after you restore the configuration on the device.

1. Enter the following command in operational mode: replace device old <old SN#> new <new

SN#>

2. Go in to configuration mode and commit your changes.

configure

commit

3. Exit configuration mode. exit

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!