Replace an SD-WAN Device
Table of Contents
2.1
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
Replace an SD-WAN Device
Let us learn how to replace an SD-WAN device in an RMA process.
The return merchandise authentication (RMA) process enables you to replace either
failed or malfunctioning SD-WAN devices with new or reused functional SD-WAN devices
at a branch or a data center site. An SD-WAN device can fail or malfunction for a
number of reasons, such as a device chip failure, device misconfiguration, or from
daily wear and tear. If the SD-WAN device is unusable due to a malfunction or
overall failure, use the RMA process to replace the failed or malfunctioning
device.
A commit failure occurs on Panorama™ and managed devices if you try to replace an
SD-WAN firewall from an existing deployment without following a proper RMA process.
Before you begin the RMA process:
- Review Before Starting RMA Firewall Replacement.
- The SD-WAN generates configurations, such as IPSec gateways and keyIDs, based on
the device serial number. Hence, you must update the serial number of the
replacement firewall for SD-WAN to recognize the new firewall and to avoid
commit failures. Find whether your SD-WAN configuration has IPSec or VPN object
references to the old firewall:
- To replace a branch firewall in a high availability (HA) deployment, login to the hub firewall and select NetworkNetwork ProfilesIKE Gateways. Search for the serial number (without white spaces) of the old firewall. If you get one or more search results, it indicates that the SD-WAN is referencing the old firewall serial number in the gateway configuration. In this case, we recommend you to disconnect the old branch firewall from Panorama and HA deployment.
- To replace a firewall in a full mesh deployment without hubs, search for the old firewall serial numbers on any of the branch firewalls. If you get one or more search results, it indicates that the SD-WAN is referencing the old firewall serial number in the gateway configuration. In this case, we recommend you to disconnect the old branch firewall from Panorama and mesh deployment.
- To replace a standalone firewall, it is not necessary to search for the serial number.
Use the following workflow to restore the configuration on a managed firewall when
there is an RMA.
- Select PanoramaSD-WANVPN Clusters and delete the old firewall.Select PanoramaSD-WANDevices and delete the old firewall.Commit the changes to Panorama.(HA deployments only) Push the changes to all hubs and the other HA peers (except the old firewall that needs to be replaced). Before proceeding, ensure that the commit succeeds on both hubs and standalone firewalls. If the search for the old firewall serial number does not return any gateway configurations, you can skip this step.Configure an RMA replacement firewall.(HA deployments only) Establish a HA connection between the replacement firewall and the standalone firewall. A firewall with a lower numerical value, and therefore a higher priority, is designated as active. To avoid your replacement firewall taking over as an active HA peer, ensure that it isn’t assigned with a higher device priority.Select PanoramaSD-WANDevices and add the new branch firewall.Select PanoramaSD-WANVPN Clusters and add the new branch firewall.Commit the changes to Panorama.Select CommitPush to Devices and push the entire Panorama managed configuration to the hubs and both HA peers at the branch.When you Push to Devices, Panorama attempts to push the changes to all the devices in the cluster for both HA and hub-and-spoke deployments. To avoid pushing the changes to all devices, select Edit Selections in the Push Scope and disable all other devices in Device Groups devices and Templates.
- In hub-and-spoke deployments, select the hub firewalls and HA template stack of the branch system to which you intend to push the configuration. As a result, sites that aren’t selected could become out of sync.
- In full mesh deployments, it’s mandatory to push the changes to all devices in the cluster.