Configuring an ON-SITE-SPARE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Configuring an ON-SITE-SPARE

L2 Linker

Dear techs,

 

Can any one give me some rough idea on how to configure a PA OSS unit?

 

I have a PA 3020 unit in live infra. Recently bought another 3020 unit. The idea is to replicate all the configurations and settings from live to the OSS unit and keep the same offline.

 

Any help is much appreciated.

 

Thanks in advance. 

18 REPLIES 18

Thanks, @dkordyban  - I finally found that link.  Really appreciate the reply.  I want to go ahead and register our spare PA3050 in the assets section of the support portal.  I just wasn't sure if I could register it as spare in assets and just leave it there in the spares pool waiting and ready to transfer the license in event of hardware failure with our production PA3050.

I'm assuming you connected your spare's MGMT interface in the same rack and sub-net as the Production 5220 so you can manage it there and have it ready to go?

 

That's my plan for now, but waiting for Palo Alto support to reply after nearly 7 days is getting old and I want to register the spare PA3050 as spare as soon as we can.

 

Thanks for any assist and any further insight.

 

Pat

 

Cyber Elite
Cyber Elite

Hi @dkordyban ,

 

If you remove the AV, AS, VP, and WF security profiles from your security rules, you will not get the error or warning.  The easiest way to do this is to use security profile groups in your security rules.  You can remove the profiles once without touching every rule.  Then you can easily add them back after you have transferred the license.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

Yes, it happened. The primary PA FW was crashed and we couldn't recover. We had a huge network outage, it all happened with a faulty network switch which continuously sends the topology change packets to the entire network resulting in a network loop. At some point the FW was not responding, did a reboot after the backup. It never came back, the status lights were off except the power light. Even nothing from the console port as well, no messages or boot information showed up.

 

Luckily we had the PA OSS device. This is what we did.

 

1. Raised a case with the support at the highest priority
2. We powered on the OSS device and confirmed the PAN OS version
3. There was a version difference between these 2 devices
4. Downloaded the base PAN OS and the updates to match the version of PAN OSS to the live unit
5. With the help of mgmt port, updated the OS of OSS unit
6. Restored latest backup to the OSS unit
7. We did received some errors during the restoration, I believe those were some Firewall security rules, which
was easy to troubleshoot
8. The support guys came into the scenario
9. For some reason, the OSS unit was not showing in device list. May be it wasn't added during the time of purchase
10. They added the unit with the SN # information
9. Downloaded the latest AV, URL, GP, Clientless VPN and other licenses from the portal and restored to the OSS unit
10. Removed the existing license information of faulty unit from the Portal
11. Assigned the license to the OSS unit and renamed the Unit to Production one
12. All services were restored
13. RMA was issued, but it took 2 weeks or so
14. The core team was unable to analyze the firewall as it was completely given up

 

The overall process might have taken 2-3 hours. As we were doing this for the first time on working hours it was a difficult one. Having the support engineer on the right time saved us a big time or else we could have spend more hours figuring out on how to transfer the licenses. 

L1 Bithead

@sabi4evr  - Can I ask what level support you had?  2 Weeks seems like a long time.  Our support contract is indicated as 4 hour premium support.  Sorry for your troubles and glad it finally worked out for you.

 

  • 9408 Views
  • 18 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!