08-19-2019 03:58 AM
Dear techs,
Can any one give me some rough idea on how to configure a PA OSS unit?
I have a PA 3020 unit in live infra. Recently bought another 3020 unit. The idea is to replicate all the configurations and settings from live to the OSS unit and keep the same offline.
Any help is much appreciated.
Thanks in advance.
08-19-2019 05:09 AM
you can download the same PAN-OS and application package you are using on your active device and install it on the OSS, then load the config file you backed-up from the active device
all you'll need to do is fetch the latest threat package the moment the device is put in service, to be up and running
08-19-2019 05:17 AM
Thanks for the update.
Sadly, my account doesnt have the previllage to access the download portal. I am awaiting for the credentials from Manager. Will update once I have the details with me.
While updating the PAN OS I have to install the base version first then, required update\version on top of that. Correct?
Thanks in advance
08-19-2019 07:48 AM
Hello,
You just need the base version downloaded to install the dot release. Also if you have 2 3020's why not put them into HA?
Cheers!
08-20-2019 09:08 PM
Dear,
I beleive the client dont want to spend additional amount for purchasing licenses and all. Well i'm not sure though. The task was to setup the device as OSS.
I need few more days to download the required files. Still waiting for the credentials.
Cheers to all.
Thanks for the replies.
08-21-2019 08:59 AM
Hello,
Then the best way would be to do as Reaper suggested. Also anytime there is a change to the production unit, save a copy of the config to place onto the OOS.
Regards,
10-14-2019 11:34 PM
Dears,
Was engaged with some other tasks hence couldn't update the device. So, I have the OSS device now. The live PA OS version is 8.1.9-h4. So, I am downloading the below versions of PAN OS to flash it to the OSS unit. PA OS versions flashing in order 8.1.0 > 8.1.9 > 8.1.9-h4. I hope this is the PAN OS hierarchy I have to follow. Please correct me if I am wrong.
Thanks in advance
10-15-2019 08:35 AM
You don't need 8.1.9, just 8.1.0 & 8.1.9-h4
Just another I.T. Guy
10-15-2019 01:01 PM
@VincentPresogna wrote:
You don't need 8.1.9, just 8.1.0 & 8.1.9-h4
this is correct
04-16-2021 03:44 AM
I have the same question. No replies? I would like to load my production device state on my spare unit then have it offline waiting in case the primary fails. I know I would need to xfer license subscriptions at failure point etc.
When I try to commit imported device state it fails stating no valid threat license.
04-17-2021 10:49 PM
I am not sure on the below. I have never tried to import the device state to the OSS unit as I was afraid that having the same configuration on 2 devices might have some impact on the network. I don't have a test network as well, so I didn't tried. So, far I am just backing up all the device backups on a monthly basis. What I know is that during that a device failure, we will need the PA support assistance in transferring the current PA licenses to the OSS unit.
04-17-2021 10:57 PM
Did you give a try in downloading and import the Threat license from the palo alto customer portal? If not, just give a try.
Try the below methods to download the same.
1. login to customer support
2. Go to assets
3. Select devices
4. Download the Threat Prevention License
I think the OSS should also have all the latest dynamic updates as well.
04-17-2021 11:48 PM
You can't import the device state as this will require the same subscription licenses, and installed packages, as the production device
An OSS can be kept updated with
-PAN-OS upgrades
-App-ID updates
-imported config files from production device
Upon failure the device can go live immediately and fetch subscription updates as soon as the licences have been moved and retrieved
If your failed device is still up at the time of failure you could export and import a device state at that time, but 'historically' there is no advantage over importing device state versus configuration onto a standby device: device state contains session table and other runtime info that is useless for the purpose of updating an offline spare
10-29-2021 09:55 AM - edited 10-29-2021 09:56 AM
HI @dkordyban - I am currently in the same situation. Did you need to register your cold spare on the support portal incurring licensing costs or could you register the spare in the support portal and have it ready to be moved into production?
I have a cold spare that will import and load the config I exported from my prod PA3050, but it won't allow to commit changes as it's not registered.
It is on same PANOS version as well.
There's a section on the support site that allows one to "Register Spare", but I am still awaiting for support to respond with any associated costs to do that and have it get updates via it's Internet connected MGMT interface.
I am well aware of HA pair, and they might do that, but for now the client wants to have a viable spare to quickly switch to in event of emergency hardware failure to avoid RMA turn around time with supply chain issues we are facing.
Any input for having a spare ready to replace the Production appliance is welcome and very much appreciated!
10-31-2021 05:09 AM
Hi PatScott
We have 2 PA-5220 firewalls. One is fully licensed with AV,URL,Support. The other is setup as on site spare in assets.
Must go through support.paloaltonetworks.com to transfer licenses to spare in the case of primary hardware failure.
How to Transfer Licenses to a Spare Device - Knowledge Base - Palo Alto Networks
Periodically, as configuration changes and Pan-OS gets upgraded on primary unit those changes should be mirrored and config exported/imported.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
