07-22-2013 07:11 AM
Hi all,
I am running Panorama with two PA-5020s which belong to one device group. The policy for this group applies to both or either firewalls, depending on zones (basically, this is a non-HA pair on two Internet links). One of the 5020s has gone into castors-up mode and is being RMA'd; a replacement is due tomorrow.
As Panorama seems to refer to devices by serial number, and policy targets are devices by serial number, I would not have thought that connecting Panorama to a replacment device (same name, same IP as previous but different serial number) and importing it would work terribly well. Wouldn't I have to manually add the replacement to every rule where the original was used?
Is it worth exporting the Panorama xml, search and replacing old serial for new in a text editor, then importing and loading the edited xml file back into Panorama? Or are there pitfalls to this?
07-22-2013 10:43 AM
Export, search and replace, and reimport will fix many of your problems.
Another option is to use the new 5.1 feature for quick RMAs. The release notes/Panorama admin guide talks about using the replace command, scp export device-state ..., and then import of the file on the new FW.
07-22-2013 01:31 PM
Thanks, I'll report back on how it went.
I'm still on 4.1.12 as we go into change lockdown for a month, might have a sniff around 5 later this year.
07-23-2013 09:58 AM
OK, all done.
As it turned out, search and replace was ideal and caused no problems. Getting the replacement 5020 on-line took rather longer, with the bonus of me forgetting to download updated UTM components and getting commit failures from Panorama, but once I realised why it was borking it didn't take long to go live.
Steps:
1/ Power up, upload back-up xml base config (stored in a repository - always export a base xml as changes are made, because if the box itself dies... obvious really).
2/ Download and install PANOS version required; at least the management port must have routable Internet access.
3/ Download and install licences and updates to any subscribed components (UTM, in our case). I'm assuming that the licencing details on the Palo support site have been updated with the new serial number previously.
4/ Export the Panorama config, search and replace old serial number for new in a text editor, import the edited version and commit.
5/ Commit policy to the replacement box.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
