SD-WAN Activation & Onboarding
  • SD-WAN Activation & Onboarding
  • SD-WAN Documentation
  • All Documentation
>
Replace an SD-WAN Device
Focus
Download PDF
Focus
  1. Home
  2. SD-WAN
  3. Replace an SD-WAN Device
Download PDF
SD-WAN

Replace an SD-WAN Device

Table of Contents

Replace an SD-WAN Device

Let us learn how to replace an SD-WAN device in an RMA process.
Where Can I Use This?What Do I Need?
  • NGFW
The return merchandise authentication (RMA) process enables you to replace either failed or malfunctioning SD-WAN devices with new or reused functional SD-WAN devices at a branch or a data center site. An SD-WAN device can fail or malfunction for a number of reasons, such as a device chip failure, device misconfiguration, or from daily wear and tear. If the SD-WAN device is unusable due to a malfunction or overall failure, use the RMA process to replace the failed or malfunctioning device.
A commit failure occurs on Panorama™ and managed devices if you try to replace an SD-WAN firewall from an existing deployment without following a proper RMA process.
Before you begin the RMA process:
  • Review before starting RMA firewall replacement.
  • The SD-WAN generates configurations, such as IPSec gateways and keyIDs, based on the device serial number. Hence, you must update the serial number of the replacement firewall for SD-WAN to recognize the new firewall and to avoid commit failures. Find whether your SD-WAN configuration has IPSec or VPN object references to the old firewall:
    • To replace a branch firewall in a high availability (HA) deployment, login to the hub firewall and select NetworkNetwork ProfilesIKE Gateways. Search for the serial number (without white spaces) of the old firewall. If you get one or more search results, it indicates that the SD-WAN is referencing the old firewall serial number in the gateway configuration. In this case, we recommend you to disconnect the old branch firewall from Panorama and HA deployment.
    • To replace a firewall in a full mesh deployment without hubs, search for the old firewall serial numbers on any of the branch firewalls. If you get one or more search results, it indicates that the SD-WAN is referencing the old firewall serial number in the gateway configuration. In this case, we recommend you to disconnect the old branch firewall from Panorama and mesh deployment.
    • To replace a standalone firewall, it is not necessary to search for the serial number.
Use the following workflow to restore the configuration on a managed firewall when there is an RMA.
  1. Select PanoramaSD-WANVPN Clusters and delete the old firewall.
  2. Select PanoramaSD-WANDevices and delete the old firewall.
  3. Commit the changes to Panorama.
  4. (HA deployments only) Push the changes to all hubs and the other HA peers (except the old firewall that needs to be replaced). Before proceeding, ensure that the commit succeeds on both hubs and standalone firewalls. If the search for the old firewall serial number does not return any gateway configurations, you can skip this step.
  5. Configure an RMA replacement firewall.
  6. (HA deployments only) Establish a HA connection between the replacement firewall and the standalone firewall. A firewall with a lower numerical value, and therefore a higher priority, is designated as active. To avoid your replacement firewall taking over as an active HA peer, ensure that it isn’t assigned with a higher device priority.
  7. Select PanoramaSD-WANDevices and add the new branch firewall.
  8. Select PanoramaSD-WANVPN Clusters and add the new branch firewall.
  9. Commit the changes to Panorama.
  10. Select CommitPush to Devices and push the entire Panorama managed configuration to the hubs and both HA peers at the branch.
    When you Push to Devices, Panorama attempts to push the changes to all the devices in the cluster for both HA and hub-and-spoke deployments. To avoid pushing the changes to all devices, select Edit Selections in the Push Scope and disable all other devices in Device Groups devices and Templates.
    • In hub-and-spoke deployments, select the hub firewalls and HA template stack of the branch system to which you intend to push the configuration. As a result, sites that aren’t selected could become out of sync.
    • In full mesh deployments, it’s mandatory to push the changes to all devices in the cluster.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.