Configuring an ON-SITE-SPARE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Configuring an ON-SITE-SPARE

L2 Linker

Dear techs,

 

Can any one give me some rough idea on how to configure a PA OSS unit?

 

I have a PA 3020 unit in live infra. Recently bought another 3020 unit. The idea is to replicate all the configurations and settings from live to the OSS unit and keep the same offline.

 

Any help is much appreciated.

 

Thanks in advance. 

18 REPLIES 18

Cyber Elite
Cyber Elite

you can download the same PAN-OS and application package you are using on your active device and install it on the OSS, then load the config file you backed-up from the active device

 

all you'll need to do is fetch the latest threat package the moment the device is put in service, to be up and running

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for the update.

 

Sadly, my account doesnt have the previllage to access the download portal. I am awaiting for the credentials from Manager. Will update once I have the details with me.

 

While updating the PAN OS I have to install the base version first then, required update\version on top of that. Correct?

 

Thanks in advance

Hello,

You just need the base version downloaded to install the dot release. Also if you have 2 3020's why not put them into HA?

 

Cheers!

Dear,

 

I beleive the client dont want to spend additional amount for purchasing licenses and all. Well i'm not sure though. The task was to setup the device as OSS. 

 

I need few more days to download the required files. Still waiting for the credentials.

 

Cheers to all.

 

Thanks for the replies.

Hello,

Then the best way would be to do as Reaper suggested. Also anytime there is a change to the production unit, save a copy of the config to place onto the OOS.

 

Regards,

Dears,

 

Was engaged with some other tasks hence couldn't update the device. So, I have the OSS device now. The live PA OS version is 8.1.9-h4. So, I am downloading the below versions of PAN OS to flash it to the OSS unit. PA OS versions flashing in order 8.1.0 > 8.1.9 > 8.1.9-h4. I hope this is the PAN OS hierarchy I have to follow. Please correct me if I am wrong.

Thanks in advance

You don't need 8.1.9, just 8.1.0 & 8.1.9-h4

____________________

Just another I.T. Guy


@VincentPresogna wrote:

You don't need 8.1.9, just 8.1.0 & 8.1.9-h4


this is correct

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L2 Linker

I have the same question. No replies? I would like to load my production device state on my spare unit then have it offline waiting in case the primary fails. I know I would need to xfer license subscriptions at failure point etc. 

When I try to commit imported device state it fails stating no valid threat license. 

I am not sure on the below. I have never tried to import the device state to the OSS unit as I was afraid that having the same configuration on 2 devices might have some impact on the network. I don't have a test network as well, so I didn't tried. So, far I am just backing up all the device backups on a monthly basis. What I know is that during that a device failure, we will need the PA support assistance in transferring the current PA licenses to the OSS unit.

Did you give a try in downloading and import the Threat license from the palo alto customer portal? If not, just give a try.

Try the below methods to download the same.

1. login to customer support

2. Go to assets

3. Select devices

4. Download the Threat Prevention License

I think the OSS should also have all the latest dynamic updates as well.

 

You can't import the device state as this will require the same subscription licenses, and installed packages, as the production device

 

An OSS can be kept updated with

-PAN-OS upgrades

-App-ID updates

-imported config files from production device

 

Upon failure the device can go live immediately and fetch subscription updates as soon as the licences have been moved and retrieved

 

If your failed device is still up at the time of failure you could export and import a device state at that time, but 'historically' there is no advantage over importing device state versus configuration onto a standby device: device state contains session table and other runtime info that is useless for the purpose of updating an offline spare

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

HI @dkordyban  - I am currently in the same situation.  Did you need to register your cold spare on the support portal incurring licensing costs or could you register the spare in the support portal and have it ready to be moved into production?
I have a cold spare that will import and load the config I exported from my prod PA3050, but it won't allow to commit changes as it's not registered.
It is on same PANOS version as well.

There's a section on the support site that allows one to "Register Spare", but I am still awaiting for support to respond with any associated costs to do that and have it get updates via it's Internet connected MGMT interface.

 

I am well aware of HA pair, and they might do that, but for now the client wants to have a viable spare to quickly switch to in event of emergency hardware failure to avoid RMA turn around time with supply chain issues we are facing.

 

Any input for having a spare ready to replace the Production appliance is welcome and very much appreciated!

Hi PatScott

We have 2 PA-5220 firewalls. One is fully licensed with AV,URL,Support. The other is setup as on site spare in assets.

Must go through support.paloaltonetworks.com to transfer licenses to spare in the case of primary hardware failure.

How to Transfer Licenses to a Spare Device - Knowledge Base - Palo Alto Networks 

Periodically, as configuration changes and Pan-OS gets upgraded on primary unit those changes should be mirrored and config exported/imported.

  • 11077 Views
  • 18 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!