12-19-2022 01:14 AM
Hi All,
We will doing a RMA replacement for PA-3220. The faulty unit is cannot access anymore from GUI or CLI and it's managed from Panorama. We only have the backup configuration and not the device state. So, what we should?
1)Do we replace the fault unit with the new one, configure the HA with the active unit and replace the S/N in the firewall? It is possible the active unit to sync the device state to the new spare unit?
Thanks.
12-19-2022 06:39 AM
Configuration backup has all local information needed like mgmt interface IP, HA settings etc so you don't need device state.
After physical replacement replace serial number in Panorama and commit from Panorama to firewall.
If firewalls show "out of sync" in HA dashboard then click "sync to peer" from surviving HA member (and not from RMA device).
12-19-2022 09:27 AM
Alright. I understand. So we need to load backup config first? After that, we do the physical replacement, serial number in Panorama and commit from Panorama to firewall. But when we try to load backup into RMA device, it have commit error and when we try to resolve it, it will have another error.
or
is it possible if we change the management IP and configure HA with the active unit? and then, we change the serial number in Panorama and commit from Panorama to firewall.
12-19-2022 09:36 AM
What error do you get? Is it missing some settings that were pushed from Panorama?
If this is the case then try following:
Import backup config into RMA firewall.
Change RMA mgmt to use temporary unique IP.
Configure networking so that this temporary IP can reach Panorama.
Add new RMA fw serial into "Panorama > Managed Devices > Summary" as new firewall.
Add RMA fw to same template group and Device group as old firewall.
Push and commit to RMA fw from Panorama to merge imported backup with config settings pushed from Panorama.
If this works then you can remove old fw from device group and template group.
Change RMA mgmt IP to match old firewall.
Perform physical install.
Sync config from surviving fw to RMA fw on HA dashboard.
12-19-2022 09:37 AM - edited 12-19-2022 09:38 AM
Actually temporary unique IP is not needed as I assume old dead firewall is not connected to network any more.
12-19-2022 11:09 AM
Yeah, the old firewall is not connected to the network. So, we just replace the old serial number to new serial number?
12-19-2022 11:11 AM
In this case yes as simple step try to replace serial number and commit from Panorama to RMA fw.
12-19-2022 11:34 AM
Alright, thank you. we managed to change S/N to a new one but it seems like the RMA device in the panorama is disconnected.
12-19-2022 11:43 AM
RMA firewall has Panorama configuration under Device > Setup > Management > Panama settings?
What ms logs shows on RMA firewall?
less mp-log ms.log
Or view new logs as they appear
tail follow yes mp-log ms.log
12-19-2022 02:06 PM
Hello @Momoj
in addition to going through logs mentioned by Raido, if you are running PAN-OS 10.1.3 and higher, you will have to import authentication key to Firewall to allow communication with Panorama: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-...
Kind Regards
Pavel
12-20-2022 05:49 PM
Hi all,
Sorry for my late reply and thanks for all helps. It seems like we managed to connect from RMA firewall to Panorama. But when we want try to push the config file from panorama to firewall, it still have some error same as when we try to do backup config directly to firewall.
12-20-2022 07:41 PM
What error do you get?
Does checking "Force Template Values" when committing from Panorama to RMA fix the issue?
12-22-2022 07:08 AM
Just noticed this post - we are going through a similar ordeal and wondering if you have completed the restore process.
this is our experience/problems so far:
thanks.
12-22-2022 05:59 PM
Yes, we are able to push the config by clicking the force template value. For somehow, there is a configuration error in the template that cause GUI for RMA unit cannot be access. We already log the ticket to RMA for this issue.
Thanks all for your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
