Replace a device (s/n) in Panorama Policy with an RMA s/n

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Replace a device (s/n) in Panorama Policy with an RMA s/n

L3 Networker

Hello -

Wondering if anyone has come across this issue.  We recently had to RMA one of our firewalls and we have a fairly extensive / complicated policy set in Panorama which consists of the following:

Shared Pre Rules targeted to specific firewalls

     Device Group Pre rules targeted to specific firewalls

     Device Group Post rules targeted to specific firewalls

Shared Post Rules targeted to specific firewalls

This being said, it presented a major headache in doing the RMA because the firewall that was removed and consequently replaced had to be manually removed from the rules - one by one - and then the new one added in the same process.  This RMA took approximately 3 hours to complete which seems really excessive.


So, I am wondering if anyone has come up with a way via CLI or other to handle this replacement in an "automated" fashion?  It behooves me that PA doesn't have native support for this type of thing.


Thanks!!

3 REPLIES 3

Palo Alto Networks Guru

There is a CLI command in Panorama called: "replace" that will achieve your goal.  This was introduced in Panorama 5.1.

Syntax:

replace device old <value> new <value>

I am surprised that the TAC Engineer that we were working with did not inform us of this...I even asked specifically.

I'm surprised too.  The procedure for RMA replacement is long and reasonably complicated.  But it is very well documented.  See pages 176 and following in the Panorama admin guide.  I've had to do this a few times over the years.

Panorama Administrator's Guide 6.0 (English)

The replace portion is specifically on page 179.

Tasks on the Panorama CLI

You cannot perform these tasks on the Panorama web interface.

Step 6

Replace the serial number of the old device with that of the new replacement device on Panorama.

By replacing the serial number on Panorama you allow the new device to connect to Panorama after you restore the configuration on the device.

1. Enter the following command in operational mode: replace device old <old SN#> new <new

SN#>

2. Go in to configuration mode and commit your changes.

configure

commit

3. Exit configuration mode. exit

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 9327 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!