: Before Starting RMA Firewall Replacement
Focus
Focus

Before Starting RMA Firewall Replacement

Table of Contents
End-of-Life (EoL)

Before Starting RMA Firewall Replacement

  • If the firewall belongs to an SD-WAN cluster, you must follow the workflow to replace an SD-WAN device when there is an RMA.
  • The firewall you will replace must have PAN-OS 5.0.4 or a later version. Panorama cannot generate the device state for firewalls running older PAN-OS versions.
  • Record the following details about the firewall you will replace:
    • Serial number—You must enter the serial number on the Palo Alto Networks Customer Support web site to transfer the licenses from the old firewall to the replacement firewall. You will also enter this information on Panorama, to replace all references to the old serial number with the new serial number of the replacement firewall.
    • (Recommended) PAN-OS version and the content database version—Installing the same software and content database versions, including the URL database vendor, enables you to create the same state on the replacement firewall. If you decide to install the latest version of the content database, you might notice differences because of updates and additions to the database. To determine the versions installed on the firewall, access the firewall System logs stored on Panorama.
  • Prepare the replacement firewall for deployment. Before you import the device state bundle and restore the configuration, you must:
    • Verify that the replacement firewall is the same model as the old firewall and is enabled for similar operational capability. Consider the following operational features: must the replacement firewall have multiple virtual systems, support jumbo frames support, or operate in CC or FIPS mode?
    • Configure network access, transfer the licenses, and install the appropriate PAN-OS and content database versions.
  • You must use the Panorama CLI to complete this firewall replacement process, and therefore your administrator account must have the superuser  or panorama-admin user role.
  • If you have an LSVPN configuration, and are replacing a Palo Alto Networks firewall deployed as a satellite or as an LSVPN portal, the dynamic configuration information that is required to restore LSVPN connectivity will not be available when you restore the partial device state generated on Panorama. If you followed the recommendation to frequently generate and export the device state for firewalls in an LSVPN configuration, use the device state that you previously exported from the firewall itself instead of generating one on Panorama.
    If you have not manually exported the device state from the firewall, and need to generate a partial device state on Panorama, the missing dynamic configuration impacts the firewall replacement process as follows:
    • If the firewall you are replacing is a GlobalProtect portal that is explicitly configured with the serial number of the satellites (NetworkGlobalProtectPortalsSatellite Configuration), when restoring the firewall configuration, although the dynamic configuration is lost, the portal firewall will be able to authenticate the satellites successfully. The successful authentication will populate the dynamic configuration information and LSVPN connectivity will be reinstated.
    • If you are replacing a satellite firewall, it will not be able to connect and authenticate to the portal. This failure occurs either because the serial number was not explicitly configured on the firewall (NetworkGlobalProtectPortalsSatellite Configuration) or, if the serial number was explicitly configured, because the serial number of the replaced firewall does not match that of the old firewall. To restore connectivity after importing the device state bundle, the satellite administrator must log in to the firewall and enter the credentials (username and password) for authenticating to the portal. After authentication, the dynamic configuration required for LSVPN connectivity is generated on the portal.
    However, if the firewall was configured in a high availability configuration, after restoring the configuration, the firewall will automatically synchronize the running configuration with its peer and attain the latest dynamic configuration required to function seamlessly.