Palo Alto Networks Runbook: Replacing a Dead Firewall

Check out all of our runbooks for Palo Alto here:

The criticality involved in maintaining uptime of IT infrastructure has always been on top of priority. Even the simplest point of failure makes a spot on the monthly operations report slide deck. Sarcasm as it may seem, that is how it really is in the world of IT.

The repetitive nature of operations has given rise to the idea of IT automation. Technologies have been available to help IT people be free of some recurring tasks most especially on monitoring and health checks. Some products take steps further by allowing triggers to be set-up in a way that can remediate issues in a snap the same way as what an actual personnel would do if given the same trigger, just faster and more efficient.

Some say automation is a killer for job security as most people involved in recurring work has the highest chance of being kicked off by robots and digital assistants. Although some IT operational tasks and incident management processes can be automated, IT people still have reason to rejoice as job security is not yet a thing of the past due to the remaining tasks that are yet to be coded for automated process.

In these cases, the use of runbooks are a gem. In simple terms, a runbook or some would term as ‘playbook’ is a documented step-by-step procedure of how things are being done. Basically a more geeky approach to manuals and user guides since most of these documents are expected to be read by people with the same level of ‘geekiness’ as the one who created it. Indeni has published a report titled – ‘Network & Security Automation Trends’ where one of the surprising takeaway is how very few companies are utilizing runbooks on their operations.

Say a newcomer gets in and have been trained for everything that everyone else does on a daily basis, he goes into the regular personnel rotation, then a critical issue pops in. First time jitters and slow reaction to incidents are sometimes a good catalyst for an escalating incident. One major issue that would definitely need prompt attention is when a hardware dies. Specifically, when a firewall dies, what to do? A well written runbook in this case will definitely be a good helping hand to compose the thoughts of a newbie or even an experienced engineer since this kind of issue does not happen very often. So let’s go ahead and go through this runbook on replacing a dead firewall.

Palo Alto Firewall will be the subject for this runbook. Every other brands will have their own set of procedure so let’s stick to one for now. Most of the time, the one who calls the time of death of a firewall is its licensed support team. A firewall administrator will be the one to observe the initial issue manifestation but it will be the support team to assess if it is time to subject the hardware into RMA (Return Merchandize Authorization) or simply the thing you do to your gadgets if it fails within warranty.

Once RMA has been fulfilled, the replacement device comes in, it’s time to hit the play button. The following procedure is what you need to do to replace a dead Palo Alto firewall.

  1. Transfer licenses

You will have to ensure that everyone on the team has their own account or at least the credentials to a common account to the company’s Palo Alto Networks support page. This is where you need to transfer the licenses from the old hardware to the newly delivered firewall.

a. Login to the Palo Alto support portal at https://support.paloaltonetworks.com
b. Once logged in, go to the assets tab and hit ‘spares’ on the links just below the main tabs.

c. 
Fill up the entries referencing your new Palo Alto Firewall unit.
d. Once registered, the new device will then be available on the list of spares. Hit the serial number of the new device to start the license transfer. You will be prompted to the device’s information page. Hit the transfer license button further down the window.

e. The transfer license window will appear. Locate the serial number of the dead firewall and hit the select button on its side. If you cannot see the serial number on the list, use the search bar to try and find it on the entire assets database of your account.

f. 
Click submit and the license transfer process is complete.

2. Initial device preparation

Newly delivered Palo Alto firewalls come on a standard configuration template that is mostly full of items that you don’t need. Initial preparation includes deleting these items and updating the software to the most recent available.

a. Access the new device and go through the standard process of setting up a new Palo Alto Firewall. Details can be found in this link:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/perform-initial-configuration.html

3. Configuration back-up installation

At this point for sure you have taken steps to secure a proper working back-up from your dead firewall. Either you have a good back-up process in place or the technical support that assessed the dead device asked you to do so. If not, it will be a long day as you will have to start doing back the configuration from scratch.

a. On the new device, hit ‘Import named configuration snapshot’ located on the Device tab, Setup menu, Operations subtab. Here you can select the back-up configuration file and upload it on to the new device. This is not installed at this point yet.
b. Once uploaded, you can then load it for installation by hitting ‘Load named configuration snapshot’ on the same Operations subtab.

c. 
Double check the configurations then commit the changes.

3. Ship back the defective device to Palo Alto

If that is the whole unit that is being replaced, most of the time, Palo Alto would want you to ship it back to them for forensic analysis. You can call Palo Alto support for return instructions or sometimes they have it on a document inside the box of the new device. If you replaced just a specific part, like a defective fan or hard disk, the end user will have the discretion to either ship it back for analysis or just dispose it themselves.

That is it. You’ve made it past through what should have been a stressful day in the office but with the help of this runbook, it has been a breeze. Go ahead and sip that extra shot of espresso you deserve. Now that cup of coffee is one that can never be automated.

Did you know Indeni can continuously check the health of your Palo Alto Networks firewalls? Indeni will give you a heads up when a firewall contract or certificate is about to expire by running these automation scripts:

Contract(s) about to expire for Palo Alto Networks
Certificate(s) about to expire for Palo Alto Networks
Panorama certificate about to expire for Palo Alto Networks

Thank you to community member Ralph Masajo for contributing this article! If you found the information helpful please share on social media by clicking the share links at the top of this page.

Ralph Masajo
About the author
Ralph Masajo