How to Configure an RMA Replacement Firewall

Printer Friendly Page

Overview

To replace or repair a firewall, open a case requesting an RMA with an authorized support provider. This document discusses how to prepare the replacement firewall for the production environment.
 
If you are replacing a device in HA, you can use the following How to Configure a High Availability Replacement Device
 

Steps

  • Register the new firewall and transfer licenses:
    Upon receipt, register the new device and transfer licenses from the old unit. After Palo Alto Networks receives the failed device, the old licensing is stripped, so it is important to transfer the licenses immediately.
    To transfer the license, follow these instructions: How to Transfer Licenses to a Spare Device
    Note: When a license is transferred to the spare device, the original device still has a 30-day evaluation license.
  • Configure the Management Interface.
    • Default Management Interface IP is 192.168.1.1 and default login/password is admin/admin.
    • Configure the Management Interface to have internet access and a DNS server confgured under Device > Setup. This interface should be able to communicate with updates.paloaltonetworks.com.
    • Alternatively, configure a service route to enable a Layer 3 interface with internet access for management. The appropriate interfaces, routing, and policies must be configured on the device. Go to Device > Setup > Service Route Configuration and choose the appropriate interface IP address for paloalto-updates and dns.  An example is provided below:

      Capture7.PNG.png

      Note:  Refer to How to Configure the Management Interface IP to set up the IP address for the management interface.
    • Retrieve licenses previously transferred to the device. Go to Device > Licenses > Retrieve license keys from license server. The licenses for each feature display on the same page. Be sure to have a URL filtering license, that URL filtering is activated, and that the database has been successfully downloaded. If a link "Download Now" is displayed, the database is not downloaded. A successfully activated and downloaded PAN-DB URL filtering database looks like this:SuccessfulDownloadActiveURLDB.PNG
    • The device is now ready to be upgraded, if needed. Download and install the available Apps or Apps+Threats package from Device > Dynamic Updates > Applications and Threats > Check Now. The device lists available packages to download and install.
    • To update the PAN-OS, go to Device > Software > Refresh.

      Additional information about PAN-OS upgrades: How to Upgrade PAN-OS and Panorama

    • Enable multi-vsys or jumbo-frames same as old firewall if applicable:

           > set system setting multi-vsys on 
          > set system setting jumbo-frame on
    • To load a previously backed up configuration on the replacement device, follow the below use cases:
      • Case 1: Old device is still connected to the network and firewall was not managed from panorama:
        • Assuming that only management network on the new firewall has been connected.
        • On old device, save Device > Setup > Save Named Configuration Snapshot and then export Device > Setup > Export Named Configuration Snapshot.
        • On new device go to Device > Setup > Import Named Configuration Snapshot to import the backed up configuration onto the device. 
        • Once the configuration is imported, load the imported configuration, go to Device > Setup > Load Named Configuration Snapshot.
        • Change the management IP and hostname so that it does not create a conflict with the existing device if connected into same management network. Later on this can be changed back if required.
        • Resolve any commit errors and commit the configuration.
        • Remove the old device, move the network cables to the new device.
      • Case 2: Old device is still connected to the network and firewall is managed from panorama:
        • Assuming only management of new device is connected, go to old device and export device state: Device > Setup > Export Device State.
        • Go to new device: Device > Setup > Import Device State to import the backed up device state onto the device. Once you do this, the firewall will get exact same settings as old device (Same IP and hostname as well). No need to load any configuration.
        • At this point you can remove the old firewall.
        • On Panorama CLI, replace the old serial number with new serial number: replace device old <old SN#> new <new SN#> and commit local and push commit to firewall also to bring in sync.
      • Case 3: Old device is no more available to take a backup and firewall was not managed from Panorama
        • Look for an old tech support from old firewall. You can get the configuration from /opt/pancfg/mgmt/saved-config/running-config.xml
        • If no previous tech supports are available, then we maybe able to use maintenance mode on the firewall to backup the old config: How to Retrieve the Palo Alto Networks Firewall Configuration in Maintenance Mode
        • Take the running-config.xml and import in the new firewall. Device > Setup > Import Named Configuration Snapshot. Commit and make sure device is up and running.
      • Case 4: Old device is no more available to take a backup and firewall is managed from Panorama. 
        • From Panorama take a backup of configuration bundle: Panorama > Setup > Operations > Export Panorama and devices config bundle. In this file, there is a .xml file with the name containing serial number of old firewall. This configuration can be used to load on the new device. However keep in mind this is only a copy of local config of the firewall and does not contain Panorama pushed configuration.
        • Assign IP to the new firewall management port, and commit so that its connected to Panorama.
        • On Panorama replace the old S/N with new S/N: replace device old <old SN#> new <new SN#> and commit local. Do NOT Push the config yet to the new firewall.
        • From the Panorama and devices config bundle, use the config corresponding to old device S/N and import and load it on the new firewall. Do NOT Commit yet.
        • From Panorama now push a DG and Template commit to the new firewall. This commit should merge the candidate and pushed config from Panorama. 
        • If no commit errors, device should be up and running.
    • If you are using any NAT IPs for source and destination NAT which are in same subnet as NAT interface (except the IP of interface itself), you will need to do a manual Gratuitous ARP from the firewall to update the peers ARP table. For example your interface IP is 198.51.100.1/24, and you are using 198.51.100.2 for NAT, you need to send GARP for 198.51.100.2.

          > test arp gratuitous ip <ip> interface <interface>
    • Return the defective device. To restore the factory default before returning, refer to: How to Factory Reset a Palo Alto Networks Device or if running PAN-OS 6.0 and later, reviewHow to SSH into Maintenance Mode because the SSH to maintenance mode is possible. Customers whose support subscription includes advance replacement of a failed firewall must return the defective unit to Palo Alto Networks after receiving the replacement.
      United States Customers - A return shipping label will be in the carton with the replacement. Affix the label to the carton to return the defective unit. 
      International Customers - Refer to return instructions and documents in the replacement shipping carton.

 

Comments

You'll also want to double-check anything that depends on the Serial Number. For example, Wildfire alert configuration in the Wildfire Portal Settings is based on SN. 

Hello,

 

What about all information that are encrypted, like admin account passwords, VPN PSK, device certificates and so on ?

 

I guess that these information are not recovered because of the default Master Key which should be device-specific, but I'm not sure and I'm not able to find any relevant information regarding thise topic.

@Laurent_DormondThis information will be recovered through the configuration import

 

If you changed the device's master key, you will first need to set your RMA device's master key to match your broken device's master key so private data can be imported. If the master key was not changed, the config will import just fine

@reaperThanks for your answer. Does it mean that the default Master Key is the same on any device ? In this case this appear to be a security weakness in my mind ?

Hi @Laurent_Dormond by default, every device is loaded with the factory certificates etc. From a security perspective it is always recommended and best practice to load your own device certs and master key just like changing the default admin password. 

I need to perform Case 2 in a week and I don't have a test FW to write up my change steps. Does anyone know if a commit is required after importing the device state on the spare/new FW? 

hi @FernandoDiaz

 

yes 

 

A commit is always required when configuration is moved from the management plane (where config is imported/edited/...) to the dataplane (where traffic is processed)

 

Once you imported a config file or device state and loaded it into management, a commit will make it active on the dataplane

Hi @FernandoDiaz

 

I performed case 1 a few months ago and it's a quite easy and straightforward operation, however I just noticed one "particular" behavior (not sure it would also apply in case 2) :

After importing and commiting the config on the new device, the root admin password is not changed (and probably all the local admin accounts if any), so if you log out after commiting your config you won't be able to login using the admin account that was supposed to reside on the saved config, and you will have to change it manually.

hi @Laurent_Dormond

 

The password should normally come over with the exported (export named config) configuration, did you happen to collect the config from a techsupport file? (techsupport destroys password hashes for privacy)

Hi @reaper

 

No I performed an export of the old device's running-config and I imported it on the new device, then load and commit.

hi @Laurent_Dormond

That's odd, the passwords should come along

Do (did) you have a master key set or are you running in FIPS mode?

Hi @reaper

 

No I had only the built-in Masterkey and no FIPS mode.

But it was not a really relevant issue.