RMA replacement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

RMA replacement

L1 Bithead

Hi All,

 

We will doing a RMA replacement for PA-3220. The faulty unit is cannot access anymore from GUI or CLI and it's managed from Panorama. We only have the backup configuration and not the device state. So, what we should?

1)Do we replace the fault unit with the new one, configure the HA with the active unit and replace the S/N in the firewall? It is possible the active unit to sync the device state to the new spare unit?

 

Thanks.

13 REPLIES 13

L7 Applicator

Configuration backup has all local information needed like mgmt interface IP, HA settings etc so you don't need device state.

After physical replacement replace serial number in Panorama and commit from Panorama to firewall.

If firewalls show "out of sync" in HA dashboard then click "sync to peer" from surviving HA member (and not from RMA device).

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

Alright. I understand. So we need to load backup config first? After that, we do the physical replacement, serial number in Panorama and commit from Panorama to firewall. But when we try to load backup into RMA device, it have commit error and when we try to resolve it, it will have another error.

or

is it possible if we change the management IP and configure HA with the active unit? and then, we change the serial number in Panorama and commit from Panorama to firewall.

 

 

L7 Applicator

What error do you get? Is it missing some settings that were pushed from Panorama?

If this is the case then try following:

Import backup config into RMA firewall.

Change RMA mgmt to use temporary unique IP.
Configure networking so that this temporary IP can reach Panorama.

Add new RMA fw serial into "Panorama > Managed Devices > Summary" as new firewall.

Add RMA fw to same template group and Device group as old firewall.

Push and commit to RMA fw from Panorama to merge imported backup with config settings pushed from Panorama.

 

If this works then you can remove old fw from device group and template group.

Change RMA mgmt IP to match old firewall.

Perform physical install.
Sync config from surviving fw to RMA fw on HA dashboard.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

L7 Applicator

Actually temporary unique IP is not needed as I assume old dead firewall is not connected to network any more.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!