How To Replace a Physical Palo Alto Firewall RMA Unit

This quick tutorial will illustrate how to replace a defective Palo Alto Firewall unit with a RMA unit from Palo Alto Networks. We are doing a manual replacement method and since our unit is not in HA, we will have a slight service disruption as cut over to the new firewall.


  • Original Defective Palo Alto Network Device
  • RMA Palo Alto Device
  • Management network VLAN connected to both devices
  • Console access to the RMA firewall

1. Rack and Configure RMA Palo Alto Firewall Device

  • Rack the RMA Palo Alto Device Firewall in proximity of the defective Palo Alto Firewall
  • Connect the management network cable into the MGMT port and connect the cable to your network switch
  • Pull down your management VLAN (Same VLAN as the Management Network for your Defective Palo Alto Firewall) on your network switch to the RMA Palo Alto Firewall Management port
  • Connect a console cable to your firewall, log in as admin/admin and enter in the following commands to configure the management port
# configure
# set deviceconfig system ip-address <value> netmask <value> default-gateway <value>
# set deviceconfig system dns-setting servers primary
# set deviceconfig system update-server
# commit
# exit
  • In the command prompt, execute a ping test to various IPs to verify internet connectivity

> ping host

> ping host

 2. Transfer Your Licenses to the Spare Device

  • Log Into the Palo Alto Networks Portal and transfer over your current license onto the RMA device
  • Please follow this guide for instructions on license transfer


3. Activate License On RMA Palo Alto Device

  •  Log into Management WebGUI on Palo Alto device and activate the license from Device > Licenses to retrieve keys from Palo Alto Networks


 4. Update RMA Palo Alto Device to Defective Palo Alto Equivalent Version

  • Update Application and Threats to the latest version so it can support the latest Palo Alto software revision



  • Update Latest software on the RMA Palo Alto to the defective unit software version


  •  Update GlobalProtect client on RMA unit to defective Palo Alto Firewall software version


 5. Download Latest Config from Defective Palo Alto Device

  • From the defective unit, go to Device > Setup > Save Named Configuration Snapshot to save your current configuration. Choose your running config if you would like to export your running config and give it a unique name



6. Upload Saved Configuration onto the RMA Palo Alto Device

  • Export your saved snapshot by going to Device > Setup > Operations > Export Named Configuration Snapshot, and save the file somewhere locally


  • Go onto your RMA Palo Alto Device and under Device > Setup >Operations > Import Named Configuration Snapshot, upload the file you saved locally


  • Next on the RMA device, go to Device > Setup > Operations > Load Named Configuration Snapshot and select the file that you uploaded to the device


  • If you want the RMA Firewall to exist on the same network as the defective firewall, change the management address address on the RMA firewall by going to Setup > Device > Management > Management Interface Settings. If you do not change this, the RMA firewall’s management and the defective unit’s management IP address will collide once you commit.
  • When completed, check all configuration items to see if configuration ported over. Save and Commit

7. Physically move all your network connections

  • Once all your configurations are moved over, physically move all network connections to the new RMA device. Your change is now complete.
  • Ship back the defective unit to Palo Alto.



Leave a Comment