We will doing a RMA replacement for PA-3220. The faulty unit is cannot access anymore from GUI or CLI and it's managed from Panorama. We only have the backup configuration and not the device state. So, what we should?
1)Do we replace the fault unit with the new one, configure the HA with the active unit and replace the S/N in the firewall? It is possible the active unit to sync the device state to the new spare unit?
Configuration backup has all local information needed like mgmt interface IP, HA settings etc so you don't need device state.
After physical replacement replace serial number in Panorama and commit from Panorama to firewall.
If firewalls show "out of sync" in HA dashboard then click "sync to peer" from surviving HA member (and not from RMA device).
Alright. I understand. So we need to load backup config first? After that, we do the physical replacement, serial number in Panorama and commit from Panorama to firewall. But when we try to load backup into RMA device, it have commit error and when we try to resolve it, it will have another error.
is it possible if we change the management IP and configure HA with the active unit? and then, we change the serial number in Panorama and commit from Panorama to firewall.
What error do you get? Is it missing some settings that were pushed from Panorama?
If this is the case then try following:
Import backup config into RMA firewall.
Change RMA mgmt to use temporary unique IP.
Configure networking so that this temporary IP can reach Panorama.
Add new RMA fw serial into "Panorama > Managed Devices > Summary" as new firewall.
Add RMA fw to same template group and Device group as old firewall.
Push and commit to RMA fw from Panorama to merge imported backup with config settings pushed from Panorama.
If this works then you can remove old fw from device group and template group.
Change RMA mgmt IP to match old firewall.
Perform physical install.
Sync config from surviving fw to RMA fw on HA dashboard.
RMA firewall has Panorama configuration under Device > Setup > Management > Panama settings?
What ms logs shows on RMA firewall?
less mp-log ms.log
Or view new logs as they appear
tail follow yes mp-log ms.log
in addition to going through logs mentioned by Raido, if you are running PAN-OS 10.1.3 and higher, you will have to import authentication key to Firewall to allow communication with Panorama: https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-...
Just noticed this post - we are going through a similar ordeal and wondering if you have completed the restore process.
this is our experience/problems so far:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!