SD-WAN Administrator’s Guide
    : Replace the SD-WAN enabled Panorama HA Peer
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. SD-WAN Administrator’s Guide
    4. Troubleshooting
    5. Replace the SD-WAN enabled Panorama HA Peer
    Download PDF

    SD-WAN Administrator’s Guide

    Replace the SD-WAN enabled Panorama HA Peer

    Table of Contents

    Replace the SD-WAN enabled Panorama HA Peer

    Workflow for replacing a faulty or nonfunctional SD-WAN enabled Panorama management server in a HA cluster for specific SD-WAN plugin versions.
    Where Can I Use This?What Do I Need?
    • PAN-OS
    • SD-WAN
    • SD-WAN license
    Returned Merchandise Authorization (RMA) process allows you to replace the failed or malfunctioning SD-WAN enabled Panorama HA pair with new or reused functional Panorama HA peer in the HA cluster. A device can fail or malfunction for a number of reasons, such as a device chip failure, device misconfiguration, or from daily wear and tear. If the device is unusable due to a malfunction or overall failure, the RMA process can be used to replace the failed or malfunctioning device.
    Follow this workflow to replace a faulty or nonfunctional SD-WAN enabled Panorama management server in a HA cluster.
    Use this workflow when your Panorama management server is installed with one of the following SD-WAN plugin versions:
    • SD-WAN plugin version 2.2.7 or above
    • SD-WAN plugin version 3.0.8 or above
    • SD-WAN plugin version 3.2.2 or above
    • SD-WAN plugin version 3.3.2 or above
    1. Configure the faulty or malfunctioning firewall (that needs to be replaced) as a secondary passive firewall and configure the other firewall as a primary active firewall. Once the faulty firewall has been configured as a secondary passive firewall, shut it down, and remove the faulty firewall from the network configuration.
    2. Select PanoramaManaged DevicesSummary and Export the CSV file from the active firewall.
    3. Bring up the new Panorama management server.
      1. Bring up the new Panorama management server with the same OS version as the primary active firewall.
      2. Configure the same IP address as the old secondary passive firewall (which is getting replaced).
      3. Install all the required plugins, application version, and antivirus version same as the primary active firewall.
      4. Execute the commit force CLI command to commit the changes forcefully.
    4. Change the peer HA serial number on the primary active firewall with the serial number of the newly deployed Panorama. Select PanoramaHigh AvailabilityElection Settings, disable Preemptive, set priority as primary (if not configured), and then commit the configuration changes.
    5. Configure high availability on the newly deployed Panorama management server. Select PanoramaHigh AvailabilityElection Settings, disable Preemptive, set priority as secondary, and commit the configuration changes.
    6. After committing the HA configuration on the newly deployed Panorama, the Panorama will be added to the HA cluster. Initially, the running configuration won’t be in synchronization and the configuration differences (if any) will be displayed in the high availability dashboard. You must fix the configuration differences by installing the correct version of the application, antivirus, SD-WAN plugin, or any other Panorama plugin.
    7. When you attempt to synchronize the running configuration from active Panorama to passive Panorama, it will fail for the first time.
      Panorama throws the following synchronization error when the running configuration synchronization failure occurs. Even though the synchronization failure occurs, the authentication key (auth-key), template, and device group will be synchronized on the passive Panorama. You can verify this by refreshing the passive Panorama web interface.
      After refresh, the Templates and Device Groups tabs will get displayed on the passive Panorama. Delete all the duplicate entries present under No device group assigned.
    8. Select PanoramaHigh AvailabilityOperational Commands and Suspend local Panorama for high availability to suspend the newly deployed Panorama management server.
    9. Copy all the serial numbers present in the active firewall's CSV (exported in step 2) on the Serial Number column.
    10. Add the serial numbers in the newly deployed Panorama as follows. Adding the serial number does not generate the authentication key (auth-key) and does not perform the commit operation on passive Panorama.
    11. After adding the firewalls, wait for all the firewalls to change the status as connected or disconnected as the same as active Panorama. Once the firewalls status added to the new Panorama is the same as the active Panorama, make the device functional again (by selecting Make local Panorama functional for high availability from PanoramaHigh AvailabilityOperational Commands).
    12. Execute the debug plugins sd_wan mongo-db sync-db-to-peer CLI command from active Panorama HA peer. If you get sync-in-progress result after running the command, then restart the configd process on active Panorama HA peer using the debug software restart process configd CLI command.
    13. Reconnect the active Panorama and execute debug plugins sd_wan mongo-db sync-db-to-peer again. The following result indicates that the active and passive Panorama Mongo databases are in synchronization.
    14. Synchronize the running configuration from active Panorama to passive Panorama that will synchronize all the configuration from active Panorama to passive Panorama.
      After synchronizing the Panorama HA peers successfully, verify the details of both active and passive Panorama in the high availability dashboard:
    15. Execute the debug plugins sd_wan mongo-db sync-status CLI command to get the Mongo database status.
    16. Perform force commit on passive Panorama.

    © 2025 Palo Alto Networks, Inc. All rights reserved.