RMA replacement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RMA replacement

L2 Linker

Hi All,

 

We will doing a RMA replacement for PA-3220. The faulty unit is cannot access anymore from GUI or CLI and it's managed from Panorama. We only have the backup configuration and not the device state. So, what we should?

1)Do we replace the fault unit with the new one, configure the HA with the active unit and replace the S/N in the firewall? It is possible the active unit to sync the device state to the new spare unit?

 

Thanks.

13 REPLIES 13

Cyber Elite
Cyber Elite

Configuration backup has all local information needed like mgmt interface IP, HA settings etc so you don't need device state.

After physical replacement replace serial number in Panorama and commit from Panorama to firewall.

If firewalls show "out of sync" in HA dashboard then click "sync to peer" from surviving HA member (and not from RMA device).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Alright. I understand. So we need to load backup config first? After that, we do the physical replacement, serial number in Panorama and commit from Panorama to firewall. But when we try to load backup into RMA device, it have commit error and when we try to resolve it, it will have another error.

or

is it possible if we change the management IP and configure HA with the active unit? and then, we change the serial number in Panorama and commit from Panorama to firewall.

 

 

Cyber Elite
Cyber Elite

What error do you get? Is it missing some settings that were pushed from Panorama?

If this is the case then try following:

Import backup config into RMA firewall.

Change RMA mgmt to use temporary unique IP.
Configure networking so that this temporary IP can reach Panorama.

Add new RMA fw serial into "Panorama > Managed Devices > Summary" as new firewall.

Add RMA fw to same template group and Device group as old firewall.

Push and commit to RMA fw from Panorama to merge imported backup with config settings pushed from Panorama.

 

If this works then you can remove old fw from device group and template group.

Change RMA mgmt IP to match old firewall.

Perform physical install.
Sync config from surviving fw to RMA fw on HA dashboard.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Actually temporary unique IP is not needed as I assume old dead firewall is not connected to network any more.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yeah, the old firewall is not connected to the network. So, we just replace the old serial number to new serial number?

Cyber Elite
Cyber Elite

In this case yes as simple step try to replace serial number and commit from Panorama to RMA fw.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Alright, thank you. we managed to change S/N to a new one but it seems like the RMA device in the panorama is disconnected.

Cyber Elite
Cyber Elite

RMA firewall has Panorama configuration under Device > Setup > Management > Panama settings?

 

What ms logs shows on RMA firewall?

less mp-log ms.log

Or view new logs as they appear

tail follow yes mp-log ms.log

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Hello @Momoj

 

in addition to going through logs mentioned by Raido, if you are running PAN-OS 10.1.3 and higher, you will have to import authentication key to Firewall to allow communication with Panorama: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-...

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi all,

 

Sorry for my late reply and thanks for all helps. It seems like we managed to connect from RMA firewall to Panorama. But when we want try to push the config file from panorama to firewall, it still have some error same as when we try to do backup config directly to firewall.

Cyber Elite
Cyber Elite

What error do you get?

Does checking "Force Template Values" when committing from Panorama to RMA fix the issue?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L2 Linker

Just noticed this post - we are going through a similar ordeal and wondering if you have completed the restore process. 

this is our experience/problems so far:

https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/td-...

 

thanks.

Yes, we are able to push the config by clicking the force template value. For somehow, there is a configuration error in the template that cause GUI for RMA unit cannot be access. We already log the ticket to RMA for this issue.

Thanks all for your help.

  • 3671 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!