Panorama: migrating between a failed and replacement device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama: migrating between a failed and replacement device

L2 Linker

Hi all,

I am running Panorama with two PA-5020s which belong to one device group. The policy for this group applies to both or either firewalls, depending on zones (basically, this is a non-HA pair on two Internet links). One of the 5020s has gone into castors-up mode and is being RMA'd; a replacement is due tomorrow.

As Panorama seems to refer to devices by serial number, and policy targets are devices by serial number, I would not have thought that connecting Panorama to a replacment device (same name, same IP as previous but different serial number) and importing it would work terribly well. Wouldn't I have to manually add the replacement to every rule where the original was used?

Is it worth exporting the Panorama xml, search and replacing old serial for new in a text editor, then importing and loading the edited xml file back into Panorama? Or are there pitfalls to this?

3 REPLIES 3

L4 Transporter

Export, search and replace, and reimport will fix many of your problems.

Another option is to use the new 5.1 feature for quick RMAs. The release notes/Panorama admin guide talks about using the replace command, scp export device-state ..., and then import of the file on the new FW.

Thanks, I'll report back on how it went.

I'm still on 4.1.12 as we go into change lockdown for a month, might have a sniff around 5 later this year.

OK, all done.

As it turned out, search and replace was ideal and caused no problems. Getting the replacement 5020 on-line took rather longer,  with the bonus of me forgetting to download updated UTM components and getting commit failures from Panorama, but once I realised why it was borking it didn't take long to go live.

Steps:

1/ Power up, upload back-up xml base config (stored in a repository - always export a base xml as changes are made, because if the box itself dies... obvious really).

2/ Download and install PANOS version required; at least the management port must have routable Internet access.

3/ Download and install licences and updates to any subscribed components (UTM, in our case). I'm assuming that the licencing details on the Palo support site have been updated with the new serial number previously.

4/ Export the Panorama config, search and replace old serial number for new in a text editor, import the edited version and commit.

5/ Commit policy to the replacement box.

  • 3225 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!