PaloAlto Networks PA-7000 Series Hardware Reference Manual

Hide thumbs Also See for PA-7000 Series:

Hardware reference manual (220 pages)

Hardware reference manual (150 pages)

Hardware reference manual (186 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

page of 206

/ 206
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

PA-7000 Series Firewall Hardware

Reference

docs.paloaltonetworks.com

Table of Contents

Need help?

Do you have a question about the PA-7000 Series and is the answer not in the manual?

Questions and answers

Summary of Contents for PaloAlto Networks PA-7000 Series

Page 1 PA-7000 Series Firewall Hardware Reference docs.paloaltonetworks.com...
Page 2 Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/ trademarks.html. All other marks menoned herein may be trademarks of their respecve companies. Last Revised August 3, 2021 PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 3: Table Of Contents
PA-7000 20GQ NPC.....................57 PA-7000 20GQXM NPC....................60 PA-7000 100G NPC..................... 60 Idenfy PA-7000 Series NPC Port Acvity and Link LEDs......... 64 PA-7000 Series Firewall Data Processing Card (DPC)............. 65 Interpret the PA-7000 Series DPC LEDS..............65 PA-7000 Series Firewall Installaon............69 PA-7000 Series Firewall Equipment Rack Installaon............70...
Page 4 Install the PA-7080 Firewall EMI Filter................122 Service the PA-7000 Series Firewall Hardware........123 Replace a PA-7000 Series Firewall AC or DC Power Supply........124 Interpret the PA-7000 Series Firewall Power Supply LEDs.......124 Replace a PA-7000 Series AC Power Supply............125 Replace a PA-7000 Series DC Power Supply............
Page 5 Table of Contents Replace a PA-7050-SMC-B or PA-7080-SMC-B Drive..........180 Increase the PA-7000 Series Firewall LPC Log Storage Capacity....... 185 PA-7000 Series Firewall Speciﬁcaons............195 PA-7000 Series Firewall Physical Speciﬁcaons............. 196 PA-7000 Series Firewall Electrical Speciﬁcaons............199 PA-7000 Series Firewall Component Electrical Speciﬁcaons......199 PA-7000 Series Firewall Power Cord Types............
Page 7: Before You Begin
Before You Begin Read the following topics before you install or service a Palo Alto Networks next- ® generaon ﬁrewall or appliance. The following topics apply to all Palo Alto Networks ﬁrewalls and appliances except where noted. > Upgrade/Downgrade Consideraons for Firewalls and Appliances >...
Page 8: Upgrade/Downgrade ConsideraOns For Firewalls And Appliances
20, then proceed with the upgrade. If the value the downgrade. If the is less than 20, then value is less than 20, contact support for then contact support for assistance. assistance. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 9: Tamper Proof Statement
• The integrity of the warranty label on the ﬁrewall or appliance is not compromised. (PA-7000 Series ﬁrewalls only) PA-7000 Series ﬁrewalls are modular systems and therefore do not include a warranty label on the ﬁrewall. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 10: Third-Party Component Support
Before You Begin Third-Party Component Support Before you consider installing third-party hardware, read the Palo Alto Networks Third-Party Component Support statement. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 11: Product Safety Warnings
Meez au rebut les baeries usagées conformément aux instrucons. • I/O ports are intended for intra-building connecons only and not intended for OSP (Outside Plant) connecons or any network connecons subject to external voltage surge events. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 12 • (PA-7000 Series ﬁrewalls only) When removing a fan tray from a PA-7000 Series ﬁrewall, ﬁrst pull the fan tray out about 1 inch (2.5cm) and then wait a minimum of 10 seconds before extracng the enre fan tray. This allows the fans to stop spinning and helps you avoid serious injury when removing the fan tray.
Page 13 (de service) qu'à l'aide d'un oul spécial, cadenas ou clé, ou autre disposif de sécurité, et qui est contrôlée par l'autorité responsable du site. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 14 • A suitably-rated DC mains disconnect device must be provided as part of the building installaon. French Translaon: Un interrupteur d'isolement suﬃsant doit être fourni pendant l'installaon du bâment. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 15: Pa-7000 Series Firewall Overview
ﬁrewalls also include a dedicated high availability (HA) control port (HA1), as well as two dedicated 80Gb QSFP HA ports for HA2 (data link) and HA3 (packet forwarding) funcons. These dedicated HA ports enable PA-7000 Series ﬁrewalls to funcon with full hardware redundancy in either an acve/passive or acve/acve conﬁguraon.
Page 16: Pa-7050 Front And Back Panel DescripOns
Provides venlaon and cooling for the chassis. While trays (ﬁrst-generaon fan facing the front of the ﬁrewall, air enters from the le and tray shown) exits to the right. There are two PA-7050 fan tray models: PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 17 HA1-A, and HA1-B ports. You can use these or replace them with a transceiver of your choice. There are two PA-7050 SMC models as described in PA-7000 Series Firewall Switch Management Cards (SMCs). The PAN-OS soware is preinstalled on the ®...
Page 18 For informaon on connecng power, see Connect Power to a PA-7000 Series Firewall. Electrostac Discharge Provides a grounding point that you use when removing (ESD) ports or installing chassis components. Secure the provided PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 19: Pa-7050 Back Panel (Ac)
Connects the power source to the power supplies located (PEM) AC power inlets on the front of the chassis. The front power supplies distribute power to all chassis components. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 20: Pa-7050 Front Panel (Dc)
DC model is that the DC model has four front DC power supplies instead of four AC power supplies. For descripons of the front panel components, see PA-7050 Front Panel (AC) and for informaon on connecng DC power, see Connect Power to a PA-7000 Series Firewall. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 21: Pa-7050 Back Panel (Dc)
DC model does not have a Power Entry Modules (PEM); the DC power source connects directly to the front of the power supplies. For descripons of the back panel components, see PA-7050 Back Panel (AC). PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 23: Pa-7080 Front And Back Panel DescripOns
PA-7080 Back Panel (DC) PA-7080 Front Panel (AC) The following image shows the front panel of the PA-7080 ﬁrewall (with AC power supplies installed) and the table describes each front panel component. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 25 HA1-A, and HA1-B ports. You can use these or replace them with a transceiver of your choice. There are two PA-7050 SMC models as described in PA-7000 Series Firewall Switch Management Cards (SMCs). The PAN-OS soware is preinstalled on the ®...
Page 26 ﬁlter to ensure it is clean. The ﬁlter is not designed to be cleaned and it is recommended that you replace it every six months (depending on the environment). PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 27: Pa-7080 Back Panel (Ac)
Firewall. PA-7080 Back Panel (AC) The following image shows the back panel of the PA-7080 ﬁrewall (with AC power supplies installed) and the table describes each back panel component. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 28 PA-7000 Series Firewall Overview Item Component Descripon Exhaust vent Provides air circulaon for chassis cooling. Do not obstruct this vent. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 29: Pa-7080 Front Panel (Dc)
DC model can hold up to eight DC power supplies instead of AC power supplies. For descripons of the front panel components, see PA-7080 Front Panel (AC) and for informaon on connecng power, see Connect Power to a PA-7000 Series Firewall. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 30: Pa-7080 Back Panel (Dc)
The only diﬀerences between the back panel AC model and the back panel DC model is that the DC model has two DC Power Entry Modules (PEMs) instead of two AC PEMs. Each DC PEM PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 31 DC PEMs are ﬁeld replaceable. For informaon on replacing a DC PEM, see Replace a PA-7080 DC PEM and for descripons of the back panel components, see PA-7080 Back Panel (AC). PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 33: Pa-7000 Series Firewall Module And Interface Card InformaOn
PA-7000 Series Firewall Module and Interface Card Informaon The PA-7000 Series ﬁrewalls are modular systems and requires a minimum set of front slot cards. The required cards include the Switch Management Card (SMC), Log Processing Card (LPC) or Log Forwarding Card (LFC), and at least one Network Processing Card (NPC).
Page 34: Pa-7000 Series Firewall Switch Management Cards (Smcs)
SMC-B or PA-7080-SMC-B) must be paired with a second-generaon logging card (PA-7000-LFC-A). When using PA-7000 Series ﬁrewalls in a High Availability (HA) pair, both ﬁrewalls must have SMCs of the same generaon installed. Use the following topics to learn about requirements, descripons of the SMC components, and how to interpret the LEDs.
Page 35 PA-7000 Series Firewall Module and Interface Card Informaon same install and release levers as the LPC—version 1 does not; and the USB port is in a diﬀerent locaon. There are no funconal diﬀerences between the two versions. Figure 1: PA-7050 Version 1 SMC, First Generation...
Page 36 PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon You cannot conﬁgure HA1 (control) on NPC data ports or the MGT port. Ethernet 10/100/1000Mbps port used to access the management interface. To manage the ﬁrewall, change your management computer IP address to 192.168.1.2, connect an RJ-45 cable from your computer to the MGT port and browse to hps:/ / 192.168.1.1.
Page 37: Pa-7000 Series Firewall Smc-B Component DescripOns
PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon dataplane port and an HSCI port for either HA2 or HA2- Backup will result in a commit failure. HSCI-B (High Speed See the HSCI-A descripon above for details. Chassis Interconnect) The purpose of HSCI-B is to increase the bandwidth for HA2/HA3 processing.
Page 38 PA-7000 Series Firewall Module and Interface Card Informaon Figure 4: PA-7050-SMC-B Figure 5: PA-7080-SMC-B Item Component Descripon MGT-A and MGT-B Two redundant SFP/SFP+ Ethernet ports used to access the management interface. If both ports are connected, one port is primary and the other port is secondary. If a link failure occurs on the primary port, the ﬁrewall...
Page 39 PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon two PA-7000 Series ﬁrewalls in a high availability (HA) conﬁguraon as follows: • In an acve/passive conﬁguraon, this port is for HA2 (data link). • In an acve/acve conﬁguraon, you can conﬁgure this port for HA2 and/or HA3.
Page 40 PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon If your management computer does not have a serial port, use a USB-to-serial converter. Use the following sengs to conﬁgure your terminal emulaon soware to connect to the console port:Data...
Page 41: Pa-7000 Series Firewall Smc-B Requirements
10,000 or greater because the PA-7050 will have the second-generaon fan trays installed and the PA-7080 will have a built-in EMI ﬁlter. • PAN-OS 9.0 or later. • Install the PA-7000 Series Firewall Log Forwarding Card (LFC) • (PA-7050 only) Install the second-generaon fan tray to increase cooling capacity. The...
Page 42 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon PWR (POWER) Green The chassis is powered. Oﬀ The chassis power is oﬀ. STS (STATUS) Green The chassis is operang normally. Yellow The chassis is boong up. Green The chassis is the current acve ﬁrewall.
Page 43 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon • When the state returns to a funconal state (any acve or passive state) the LED turns oﬀ. • If you intenonally suspend HA, the LED will not turn red.
Page 44 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon s12 empty Off Enter the following command to view the status for a card in a speciﬁc slot: (Connued) admin@PA-7080> show system service-led status slot s3 Enter the following command to enable all SVC LEDs: admin@PA-7080>set system setting service-led enable ye...
Page 45 PA-7000 Series Firewall Module and Interface Card Informaon The following table describes the funcons and states of the SMC HSCI-A and HSCI-B port LEDs. Descripon Le The LED is solid green if there is a network link. Because this interface is comprised of four 10Gbps links, the LED uses an AND operaon for all...
Page 46: Pa-7000 Series Firewall Log Cards
PA-7000 Series Firewall Module and Interface Card Informaon PA-7000 Series Firewall Log Cards The PA-7000 Series ﬁrewalls support two log card models: the Log Processing Card (LPC) and the Log Forwarding Card (LFC). The diﬀerence between the LPC and the LFC is that the LPC stores logs locally and forward logs;...
Page 47 PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon Log Processing Card (LPC) that processes all logs and then stores the logs on the four Advanced Mezzanine Cards (AMCs) that contain one disk drive each. Four Advanced Mezzanine Cards (AMCs) and drives used for log storage.
Page 48: Pa-7000 Series Firewall Log Forwarding Card (Lfc)
PA-7000 Series Firewall Module and Interface Card Informaon Interpret the PA-7000 Series Firewall AMC LEDs Use the following informaon to learn how to interpret the LED dashboard located on the front of the AMC. The Log Processing Card (LPC) does not have LEDs. If there is a hardware issue with the LPC, the LOG LED on the Switch Management Card (SMC) changes to red and the ﬁrewall...
Page 49 PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon QSFP+ ports Two quad small form-factor pluggable (QSFP+) 10Gbps/40Gbps Ethernet interfaces as deﬁned by the IEEE 802.3ba standard. The two physical QSFP+ interfaces operate at 40Gbps each. The ﬁrewall uses the ports to forward all dataplane logs to an external system, such as Panorama, Firewall Data Lake, or a syslog server.
Page 50 PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon Ports 1 and 9 share the same LED and ports 5 and 10 share the same LED. Port transfer rate is diﬀerenated by color. Green indicates 10Gbps and yellow indicates 40Gbps.
Page 51 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon STS (STATUS) Green The LFC is operang normally. Yellow The LFC is boong up. There is a hardware failure, which may include the following: (Alarm) • Voltage issue. • Power supply detected but not operaonal.
Page 52 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon s6 PA-7080-SMC-B On s7 PA-7000-LFC On s8 empty Off s9 empty Off s10 empty Off s11 empty Off s12 empty Off Enter the following command to view the status for a card in a speciﬁc slot: (Connued)
Page 53 PA-7000 Series Firewall Module and Interface Card Informaon To learn about the orientaon of the LED indicators, see Idenfy PA-7000 Series NPC Port Acvity and Link LEDs. PA-7000 Series Firewall LFC Requirements The following informaon describes the system and hardware requirements for upgrading to the Log Forwarding Card (LFC).
Page 54: Pa-7000 Series Firewall Network Processing Cards (Npcs)
NPCs in a PA-7050 ﬁrewall and up to ten NPCs in a PA-7080 ﬁrewall. If you plan on fully populang a PA-7000 Series ﬁrewall with NPCs, Determine PA-7000 Series Firewall Power Conﬁguraon Requirements to ensure that you provide enough power to the ﬁrewall.
Page 55 PA-7000 Series Firewall Module and Interface Card Informaon PA-7000 20G NPC Component Descripons The following images show the two types of PA-7000 20G NPCs and the table describes the NPC components. The only diﬀerence between the two versions is the levers used to install and remove the cards.
Page 56 PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon NPC installaon and • Screws, lever release latches, and ejector levers used removal hardware to install and remove a version 1 NPC card. The lever release latches on each side slides upward to release the levers used to eject the card from the chassis.
Page 57: Pa-7000 20Gxm Npc
4 million sessions and the PA-7000 20GXM NPC supports up to 8 million sessions. As of PAN-OS 9.0 and later, the PA-7000-20G NPC supports 3.2 million sessions. The PA-7000 Series ﬁrewall must have PAN-OS 7.1 or later installed to use the PA-7000-20GXM-NPC.
Page 58 PA-7000 Series Firewall Module and Interface Card Informaon The PA-7000 Series ﬁrewall must have PAN-OS 7.0 or later installed to use the PA-7000-20GQ-NPC. If you purchase a PA-7050 ﬁrewall running a PAN-OS 6.1 or earlier release and you only have a PA-7000-20GQ available (or, if you have more than one NPC and all are this model), refer to KB arcle...
Page 59 PA-7000 Series Firewall Module and Interface Card Informaon Interpret the PA-7000 20GQ NPC LEDs Use the following informaon to learn how to interpret the LED dashboard and port LEDs located on the PA-7000 20GQ Network Processing Card (NPC). The following table describes the funcons and states of the NPC LED dashboard.
Page 60: Pa-7000 20Gqxm Npc
4 million sessions and the PA-7000 20GQXM NPC supports up to 8 million sessions. As of PAN-OS 9.0 and later, the PA-7000-20GQ NPC supports 3.2 million sessions. The PA-7000 Series ﬁrewall must have PAN-OS 7.1 or later installed to use the PA-7000-20GQXM-NPC.
Page 61 PA-7000 Series Firewall Module and Interface Card Informaon Item Component Descripon To properly breakout the QSFP ports, your transceiver must be either the PAN-QSFP-40GBASE-SR4 or PAN- QSFP28-100GBASE-SR4, and you must use an appropriate passive breakout cable. LED dashboard Five LEDs that provide NPC status. For details on the...
Page 62 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon Green The card temperature is normal. (Temperature) Yellow The card temperature is outside the temperature tolerance. Allows a remote administrator to illuminate the SVC LED on a speciﬁc front-slot (Service) card so an on-site technician can locate the card.
Page 63 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon LED is solid blue. The following table describes funcons and states of the SFP+ port LEDs. Descripon Le The LED shows green if there is a network link. Right Blinks green or stays green if there is network acvity.
Page 64: IdenFy Pa-7000 Series Npc Port AcVity And Link Leds
The following image shows how to idenfy the acvity and link LEDs for the port types available on PA-7000 Series ﬁrewall NPCs. The image shows the port orientaon if the NPC is in a horizontal posion. For details on the funcons and states of the LEDS, see...
Page 65: Pa-7000 Series Firewall Data Processing Card (Dpc)
PA-7000 Series Firewall Module and Interface Card Informaon PA-7000 Series Firewall Data Processing Card (DPC) The PA-7000 Series Data Processing Card (PA-7000-DPC-A) is an oponal interface card that can be installed to improve the processing capacity of the chassis. Similar in physical design to the PA-7000 100G NPC, the DPC oﬀers scalability in the form of four addional data plane instances.
Page 66 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon The card hardware failed. (Alarm) Oﬀ The card is operang normally. Green The card temperature is normal. (Temperature) Yellow The card temperature is outside the temperature tolerance. Allows a remote administrator to illuminate the SVC LED on a speciﬁc front-slot (Service) card so an on-site technician can locate the card.
Page 67 PA-7000 Series Firewall Module and Interface Card Informaon State Descripon admin@PA-7080> set system setting service-led enable slo t s3 yes Oﬀ LED is oﬀ. LED is solid blue. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 68 PA-7000 Series Firewall Module and Interface Card Informaon PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 69: Pa-7000 Series Firewall InstallaOn
PA-7000 Series Firewall Installaon The PA-7000 Series ﬁrewalls are modular systems that require you to install several components, such as network cards, during the installaon process. Due to the weight of the ﬁrewalls, we recommend that you ﬁrst install the ﬁrewall chassis into the rack...
Page 70: Pa-7000 Series Firewall Equipment Rack InstallaOn
PA-7000 Series Firewall Installaon PA-7000 Series Firewall Equipment Rack Installaon PA-7000 Series ﬁrewalls are designed for installaon in a standard 19-inch equipment rack in a mid-mount or front-mount posion. Before you install the hardware, read PA-7000 Series Firewall Rack Install Safety Informaon.
Page 71 STEP 4 | Align the rack-mount bracket mounng holes on each side of the chassis with the holes on the rack rail, ensuring that the chassis is level. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 72: Install The Pa-7050 Firewall In The Front-Mount PosiOn
To further reduce the chassis weight, remove the fan trays and front power supplies. STEP 1 | Read PA-7000 Series Firewall Rack Install Safety Informaon. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 73 There is a total of 112 bracket screws (56 on each side). Remove the front brackets (A and B) and back brackets (C and D) from the chassis. The back brackets (C and D) are not needed in this conﬁguraon. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 74 Use 25 screws to aach each bracket to the chassis in the front posion. When swapping the brackets, rotate them 180 degrees so the screw holes line up and the rack mount holes are on the front of the chassis. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 75 Posion the chassis into the rack using two or more people and if available, use a mechanical equipment li. STEP 5 | Align the mounng holes on the side of the chassis with holes in the rack rail, ensuring that the chassis is level. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 76: Install The Pa-7080 Firewall In The Mid-Mount PosiOn
This will prevent any damage to the cards that could occur during rack mounng and will reduce the weight of the chassis. STEP 1 | Read PA-7000 Series Firewall Rack Install Safety Informaon. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 77 (8 upper bracket screws and 4 lower bracket screws). The upper bracket is designed for Ethernet cables and the console cable and the lower bracket is designed for ﬁber opc PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 78 Align the rack-mount bracket mounng holes on each side of the chassis with the holes on the rack rail, ensuring that the chassis is level. Secure the chassis to the rack using eight PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 79: Install The Pa-7080 Firewall In The Front-Mount PosiOn
This will prevent any damage to the cards that could occur during rack mounng and will reduce the weight of the chassis. STEP 1 | Read PA-7000 Series Firewall Rack Install Safety Informaon. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 80 (8 upper bracket screws and 4 lower bracket screws). The upper bracket is designed for Ethernet cables and the console cable and the lower bracket is designed for ﬁber opc PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 81 Align the rack-mount bracket mounng holes on each side of the chassis with the holes on the rack rail, ensuring that the chassis is level. Secure the chassis to the rack using eight PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 82 PA-7000 Series Firewall Installaon rack#mount screws (not included) on each side of the chassis and ghten with a Phillips-head screwdriver. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 83: Install The Mandatory Pa-7000 Series Firewall Front Slot Cards
Install the Mandatory PA-7000 Series Firewall Front Slot Cards The PA-7000 Series ﬁrewalls require a minimum of three cards that you install in the front slots of the chassis. These cards are shipped separately from the chassis and include the following: The Switch Management Card (SMC) provides management connecvity to the chassis and HA...
Page 84 Remove the SMC from the anstac bag and slide it into the front slot (slot 4 on a PA-7050 ﬁrewall or slot 6 on a PA-7080 ﬁrewall) unl it is about 1/4-inch from being fully inserted. Ensure that the handles are in the open posion. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 85 Proceed to Install the PA-7000 Series Firewall Log Processing Card (LPC). Install the PA-7000 Series Firewall Switch Management Card (SMC-B) Switch Management Card (SMC) is required for chassis operaon. On a PA-7050 ﬁrewall, you must install the SMC in slot 4 and on the PA-7080 ﬁrewall, you must install the SMC in slot 6.
Page 86 ESD sensive hardware. For details on the ESD port locaon, see PA-7050 Front Panel (AC) PA-7080 Front Panel (AC). STEP 2 | Ensure that the chassis is powered oﬀ and disconnect the power cords. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 87 PA-7050 ﬁrewall or slot 6 on a PA-7080 ﬁrewall) unl it is about 1/4-inch from being fully inserted. Ensure that the handles are in the open posion. The following images show the ﬁrst-generaon SMC; the install procedure for the second-generaon SMC-B is the same. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 88: Install A Pa-7000 Series Firewall Log Card
Install a PA-7000 Series Firewall Log Card The PA-7000 Series ﬁrewall must have a log card installed to operate. You can install a Log Processing Card (LPC) or a Log Forwarding Card (LFC). To learn about the available log cards to...
Page 89 PA-7000 Series Firewall Installaon Install the PA-7000 Series Firewall Log Processing Card (LPC) Log Processing Card (LPC) is required for chassis operaon and the same LPC model is used in both the PA-7050 and PA-7080 ﬁrewalls. On a PA-7050 ﬁrewall, you must install the LPC in slot 8 and on the PA-7080 ﬁrewall, you must install the LPC in slot 7.
Page 90 The le and right inner levers have a micro-switch that will power oﬀ the card as soon as they are pulled to unlock the outer lever. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 91 Ensure that the handle on the front of each AMC is pulled out to the unlocked posion and then install each of the four AMCs into the four slots on the LPC. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 92 Proceed to Install a PA-7000 Series Firewall Network Processing Card (NPC). Install the PA-7000 Series Firewall Log Forwarding Card (LFC) Log Forwarding Card (LFC) is required for chassis operaon and the same LFC model is used in both the PA-7050 and PA-7080 ﬁrewalls. On a PA-7050 ﬁrewall, you must install the LFC in slot 8 and on the PA-7080 ﬁrewall, you must install the LPC in slot 7.
Page 93 Remove the LFC from the anstac bag and slide it into the log card slot (slot 8 on a PA-7050 ﬁrewall or slot 7 on a PA-7080 ﬁrewall) ensuring that the handles are in the open PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 94 The le and right inner levers have a micro-switch that will power oﬀ the card as soon as they are pulled to unlock the outer lever. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 95: Install A Pa-7000 Series Firewall Network Processing Card (Npc)
Proceed to Install a PA-7000 Series Firewall Network Processing Card (NPC). Install a PA-7000 Series Firewall Network Processing Card (NPC) You can install up to 6 NPCs in a PA-7050 ﬁrewall and up to 10 NPCs in a PA-7080 ﬁrewall to expand port density and throughput.
Page 96 Firewall. • Install a PA-7000 Series Firewall NPC in a Single Chassis • Install a PA-7000 Series Firewall NPC in a High Availability (HA) Conﬁguraon • Conﬁgure a Log Card Port on a PA-7000 Series Firewall • Conﬁgure Session Distribuon on a PA-7000 Series Firewall...
Page 97 The following images show how to install NPCs. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 98 PA-7000 Series Firewall Installaon PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 99 (NPC) must also match and must be installed in the same slots on each ﬁrewall. Important: When installing new NPCs in a PA-7000 Series ﬁrewall with high availability (HA) conﬁgured, PAN-OS puts the cards in a disabled state. This allows you to bring up both cards (one in each ﬁrewall) at the same me, so HA can start monitoring the cards.
Page 100 PA-7000 Series Firewall, connue the following steps to bring up the NPCs in the HA pair. Refer to Verify the PA-7000 Series Firewall NPC Conﬁguraon for informaon on how to check the status of the NPCs. Run the following command to power-on both NPCs in the HA pair: admin@PA-7050>...
Page 101 Network Processing Card (NPC) using the type Log Card. This is required because the traﬃc processing and logging capabilies of a PA-7000 Series ﬁrewall exceeds the capabilies of the management port, which is the port used for these services on other ﬁrewall models.
Page 102: Configure Session DistribuOn On A Pa-7000 Series Firewall
PAN-OS Administrator’s Guide. Conﬁgure Session Distribuon on a PA-7000 Series Firewall Aer the ﬁrewall is installed and powered on, you can review the available session distribuon policies to determine if it make sense for you to change the default policy to beer ﬁt your environment.
Page 103: Connect Power To A Pa-7000 Series Firewall
Connect DC Power to a PA-7080 Firewall PA-7000 Series Power Conﬁguraon Opons This topic describes power conﬁguraon opons for PA-7000 Series ﬁrewalls. • PA-7050 ﬁrewall—Ships with either four AC or four DC power supplies preinstalled in the front power supply slots; you can change the power type (AC or DC) in the ﬁeld.
Page 104: Determine Pa-7000 Series Firewall Power ConfiguraOn Requirements
Determine PA-7000 Series Firewall Power Conﬁguraon Requirements The number of acve power supplies required to operate a PA-7000 Series ﬁrewall depends on the power input that you connect to the power supplies (120VAC, 240VAC, or -48VDC), the number of Network Processing Cards (NPCs), and your power redundancy requirement.
Page 105: Connect Ac Power To A Pa-7050 Firewall
The following procedure describes how to connect power to a PA-7050 ﬁrewall with AC power supplies installed. The power supplies require 120VAC 15-amp or 240VAC 20-amp power input. For details on power requirements, see Determine PA-7000 Series Firewall Power Conﬁguraon Requirements. STEP 1 |...
Page 106 120VAC power supplies required to power the chassis and the NPCs. STEP 8 | Secure the power cords to the power inlets using the power cord retainer clips. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 107: Connect Dc Power To A Pa-7050 Firewall
The following procedure describes how to connect power to DC power supplies in a PA-7050 ﬁrewall. The DC power supplies require -40VDC to -60VDC power input. For details on power requirements, see Determine PA-7000 Series Firewall Power Conﬁguraon Requirements. For the DC input circuit, make sure there is a 60-amp protected circuit breaker, minimum -40VDC to -60VDC, and a double pole on the input to the DC power.
Page 108 DC power supplies. It is best to route the cables ﬁrst and then plug the cables into the power supplies. STEP 8 | Conﬁrm that all front slot cards are properly inserted. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 109: Connect Ac Power To A Pa-7080 Firewall
The following procedure describes how to connect power to a PA-7080 ﬁrewall with AC power supplies installed. The power supplies require 120VAC 15-amp or 240VAC 20-amp power input. For details on power requirements, see Determine PA-7000 Series Firewall Power Conﬁguraon Requirements. STEP 1 |...
Page 110 120VAC power supplies required to power the chassis and the NPCs. STEP 8 | Secure the power cords to the power inlets using the power cord retainer clips. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 111: Connect Dc Power To A Pa-7080 Firewall
The following procedure describes how to connect power to DC power supplies in a PA-7080 ﬁrewall. The power supplies require -40VDC to -60VDC power input. For details on power requirements, see Determine PA-7000 Series Firewall Power Conﬁguraon Requirements. You must connect each of the eight DC power connecons (four on each PEM) to separate 60-amp protected circuit breakers, minimum -48VDC, and a double pole on the input to the DC power.
Page 112 50 in-lbs. You can install the lug in a vercal or horizontal posion. Be careful not to strip the threads on the nuts and lug studs. Figure 8: PA-7080 Ground Cable Connection PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 113 1 A and 1 B and 2 A and 2 B. STEP 12 | Re-aach the plasc covers over the exposed DC power studs and cables. STEP 13 | Conﬁrm that all front slot cards are properly inserted. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 114: View Pa-7000 Series Firewall Power StaSCs
View PA-7000 Series Firewall Power Stascs Use the following informaon to learn how to view acve power stascs on a PA-7000 Series ﬁrewall to help you ensure power redundancy and to plan for growth. You can view the amount of power that each power supply is producing as well as the power rang for each hardware...
Page 115 Example Chassis Power Output from a PA-7080 Firewall Slot Component Card Status Power (w) PA-7000-20GQ-NPC PA-7000-20GQ-NPC PA-7000-20G-NPC PA-7000-20G-NPC PA-7000-20G-NPC PA-7080-SMC PA-7000-LPC empty PA-7000-20G-NPC empty empty empty FANTRAY PA-7080-FANTRAY Present FANTRAY PA-7080-FANTRAY Present PSA1 CP2500AC54TE 2500 (+) PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 116 As indicated in the last row of the table, the four 2500 wa power supplies provide 10000 was and the installed hardware components (SMC, LPC or LFC, and NPCs) use 3740 was. If you subtract 3740 from 10000, there is 6260 was of power remaining. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 117: Connect Cables To A Pa-7000 Series Firewall
PA-7000 Series Firewall Installaon Connect Cables to a PA-7000 Series Firewall Aer you Connect Power to a PA-7000 Series Firewall, connect your management computer to the management port (MGT) on the ﬁrewall so you can begin the inial conﬁguraon. You can oponally connect your management computer to the console port, which provides a serial...
Page 118 PA-7000 Series Firewall Installaon PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 119: Verify The Pa-7000 Series Firewall Lpc And Npc ConfiguraOn
Verify the PA-7000 Series Firewall LPC and NPC Conﬁguraon Aer you install the front-slot cards and power on the PA-7000 Series ﬁrewall (described in Connect Power to a PA-7000 Series Firewall), you can use the following informaon to verify the status of the Log Processing Card (LPC) and the Network Processing Cards (NPCs).
Page 120: Verify The Pa-7000 Series Firewall Npc ConfiguraOn
Verify the PA-7000 Series Firewall NPC Conﬁguraon When you ﬁrst set up a PA-7000 Series ﬁrewall, all NPC slots are ready to use. If you are working with a ﬁrewall that is already deployed, you should check slot status before adding a new NPC to ensure that the NPC slot is ready.
Page 121 For example, to enable NPCs installed in slot 3 of both chassis, run the following command: admin@PA-7050> request chassis power-on slot s3 target ha-pair For informaon on installing NPCs, see Replace a PA-7000 Series Network Processing Card (NPC) and for informaon on slot status indicators, see PA-7000 Series Front Slot States.
Page 122: Install The Pa-7080 Firewall Emi Filter
ﬁlter unl it is ﬂush with the chassis. STEP 2 | Secure the ﬁlter to the chassis using the four capve screws (two screws on each side). PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 123: Service The Pa-7000 Series Firewall Hardware
Service the PA-7000 Series Firewall Hardware The following topics describes how to replace ﬁeld-serviceable components on a PA-7000 Series ﬁrewall. For an overview of the hardware components, see PA-7000 Series Firewall Overview. > Replace a PA-7000 Series Firewall AC or DC Power Supply >...
Page 124: Replace A Pa-7000 Series Firewall Ac Or Dc Power Supply
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall AC or DC Power Supply The following topics describe how to interpret the power supply LEDs and how to replace a PA-7000 Series ﬁrewall power supply. • Interpret the PA-7000 Series Firewall Power Supply LEDs •...
Page 125: Replace A Pa-7000 Series Ac Power Supply
• Warning—Yellow indicates that the power supply temperature is exceeded and oﬀ indicates no warning. • Fault—Red indicates a power supply failure and oﬀ indicates no issues. Replace a PA-7000 Series AC Power Supply • Replace a PA-7050 AC Power Supply •...
Page 126 A red LED indicates a failed power supply. For details on the power supply LEDs, see Interpret the PA-7000 Series Firewall Power Supply LEDs STEP 3 | Power oﬀ the failed power supply; the switch is on the back of the chassis. Then unplug and remove the power cord (leaving the cord in place can cause arcing inside the chassis).
Page 127 Locate the failed power supply by viewing the system logs or by viewing the LED on the front of the power supply. A red LED indicates a failed power supply. For details on the power supply LEDs, see Interpret the PA-7000 Series Firewall Power Supply LEDs. STEP 3 | Power oﬀ...
Page 128 Service the PA-7000 Series Firewall Hardware supply door toward you from the le side to eject the power supply from the chassis. Then pull the power supply toward you and remove it. STEP 5 | Remove the replacement power supply from the packaging and open the front ejector door unl it is fully open.
Page 129: Replace A Pa-7000 Series Dc Power Supply
Plug the power cable into the corresponding AC power module on the back of the chassis and turn on the power switch. The new power supply will turn on and the LED will turn green. Replace a PA-7000 Series DC Power Supply • Replace a PA-7050 DC Power Supply •...
Page 130 Service the PA-7000 Series Firewall Hardware STEP 6 | Pull the power supply ejector handle out and down from the top center of the power supply to disengage it from the chassis and then slide the power supply out of the chassis using the power supply handle.
Page 131 Service the PA-7000 Series Firewall Hardware STEP 8 | Slide the new power supply into the empty power supply slot unl it almost fully seated. Ensure that the notch near the hinged part of the ejector handle inserts into the chassis so that when you close the handle, it properly seats the power supply.
Page 132 Locate the failed power supply by viewing the system logs or by viewing the LED on the front of the power supply. A red LED indicates a failed power supply. For details on the power supply LEDs, see Interpret the PA-7000 Series Firewall Power Supply LEDs. STEP 3 | Turn oﬀ...
Page 133 Service the PA-7000 Series Firewall Hardware will eject the power supply from the chassis. Pull the power supply toward you and remove STEP 5 | Remove the replacement power supply from the packaging and open the front ejector door unl it is fully open. Remember to push the metal clip located on the boom le to release the door.
Page 134: Replace A Pa-7080 Dc Pem
Service the PA-7000 Series Firewall Hardware Replace a PA-7080 DC PEM The DC Power Entry Module (PEM) is located on the back of the chassis and connects the power source to the power supplies located on the front of the chassis, which then distributes power to all chassis components.
Page 135 Service the PA-7000 Series Firewall Hardware STEP 4 | Remove the eight screws that secure the PEM to the chassis. STEP 5 | Remove the failed PEM from the chassis using the handles on each side of the PEM. STEP 6 | Carefully slide the replacement PEM into the PEM slot and secure it with the eight screws.
Page 136: Replace A Pa-7000 Series Firewall Fan Tray
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall Fan Tray The following topics describe how to replace a PA-7050 or PA-7080 fan tray. • Replace a PA-7050 Fan Tray • Replace a PA-7080 Fan Tray Replace a PA-7050 Fan Tray The following procedure describes how to replace a PA-7050 fan tray.
Page 137 Service the PA-7000 Series Firewall Hardware STEP 4 | Turn the top and boom fan tray thumb screws counter-clockwise unl the screws stop. This will move the latches to the open posion in preparaon for the fan tray removal. If you replace the PA-7050-FANTRAY-R-A fan tray, remove the air ﬁlter that is part of the fan tray.
Page 138 Service the PA-7000 Series Firewall Hardware Figure 10: PA-7050-FANTRAY-L-A and PA-7050-FANTRAY-R-A STEP 5 | Grasp the fan tray handles and pull the tray out about two inches. Aer all working fans have stopped spinning, remove the fan tray from the chassis. The fan tray is heavy, so be prepared to support the weight of the tray when removing it.
Page 139 Service the PA-7000 Series Firewall Hardware STEP 7 | Turn the thumb screws to the right unl they stop. This will lock the top and boom latches to secure the tray to the chassis. Use a Phillips-head screwdriver to ghten the thumb screws.
Page 140 Service the PA-7000 Series Firewall Hardware Figure 12: PA-7050-FANTRAY-L-A and PA-7050-FANTRAY-R-A STEP 8 | Verify that the fan tray is operaonal by nong the status of the fan tray LEDs and the fan LED on the SMC (slot 4). The Fault LED on the fan tray turns oﬀ, the Power LED on the fan tray illuminates green, and the fan LED on the SMC changes from red to green.
Page 141: Replace A Pa-7080 Fan Tray
Service the PA-7000 Series Firewall Hardware Replace a PA-7080 Fan Tray The following procedure describes how to replace a PA-7080 fan tray. If one fan on a fan tray fails, the fault LED on the fan tray will turn red. If this occurs, replace the fan tray immediately to avoid service interrupon.
Page 142 Service the PA-7000 Series Firewall Hardware STEP 4 | Grasp both handles on the failed fan tray and gently push them outward as you slide the fan tray toward you about 1 inch. Wait 10 seconds to allow enough me for the working fans to stop spinning.
Page 143 Service the PA-7000 Series Firewall Hardware tray illuminates green, and the FAN LED on the SMC changes from red to green. You can view the status of the fan trays by running the CLI command: admin@PA-7080> show system environmentals fan-tray To view the status of each fan on a fan tray, run the following command: admin@PA-7080>...
Page 144: Replace A Pa-7000 Series Firewall Air Filter
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall Air Filter The air ﬁlter is a crical part of the chassis cooling system that ensures that air entering the chassis does not contain debris. We recommend that you replace the ﬁrst-generaon ﬁlter every six months or less, depending on the environment where the ﬁrewall is located, to prevent...
Page 145 Service the PA-7000 Series Firewall Hardware STEP 3 | Push the ﬁlter in unl the rear ball joint(s) snap into place. If you are installing a PA-7050- FANTRAY-R-A air ﬁlter, turn the air ﬁlter screws clockwise unl ght. Figure 13: PA-7050 Chassis Air Filter PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 146 Service the PA-7000 Series Firewall Hardware Figure 14: PA-7050 FANTRAY-R-A Air Filter PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 147 Service the PA-7000 Series Firewall Hardware Figure 15: PA-7080 Air Filter PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 148: Replace A Pa-7000 Series Firewall Front Slot Card
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall Front Slot Card The PA-7000 Series ﬁrewalls require one Switch Management Card (SMC), one Log Processing Card (LPC), and at least one Network Processing Card (NPC). The procedures to replace a front slot card on a PA-7050 and PA-7080 ﬁrewall are almost idencal.
Page 149 Service the PA-7000 Series Firewall Hardware that you install them in the same SSD slots on the replacement SMC-B (See Replace a PA-7050-SMC-B or PA-7080-SMC-B Drive). PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 150 Service the PA-7000 Series Firewall Hardware STEP 5 | Remove the replacement SMC from the anstac bag. If you are replacing a failed PA-7050- SMC-B or PA-7080-SMC-B, install the SSDs that you removed in the previous step. STEP 6 | Slide it into the SMC slot, ensuring that the handles are in the open posion.
Page 151: Replace A Pa-7000 Series Log Card
Replace a PA-7000 Series Log Card Use the following topics to learn how to replace a PA-7000 Series Log Processing Card (LPC) or a PA-7000 Series Log Forwarding Card (LFC). The LPC has disk drives that must be removed and re- installed, while the LFC does not contain disk drives.
Page 152 Service the PA-7000 Series Firewall Hardware STEP 5 | Remove the LPC by pulling the inner release lever to unlock the outer release lever and then use the outer release lever to pull the LPC out of the chassis. The LPC has a double-lever on each side of the card. Aer loosening the thumb screws, you must pull the inner lever toward you to unlock the outer lever from the chassis and then pull the outer lever to release the card.
Page 153 Service the PA-7000 Series Firewall Hardware STEP 6 | Remove the new LPC from the anstac bag. Slide the LPC into the LPC slot, ensuring that the handles are in the open posion. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place.
Page 154 Re-Index the LPC Drives before powering on the chassis. Replace a PA-7000 Series Log Forwarding Card (LFC) If the LFC fails, the chassis reboots and will aempt to recover the LFC. If the LFPC connues to fail and the chassis reboots more than 3 mes in 30 minutes, it enters maintenance mode at which me you must power oﬀ...
Page 155 Service the PA-7000 Series Firewall Hardware STEP 4 | Remove the LFC by pulling the inner release lever to unlock the outer release lever and then use the outer release lever to pull the LFC out of the chassis. The LFC has a double-lever on each side of the card. Aer loosening the thumb screws, you must pull the inner lever toward you to unlock the outer lever from the chassis and then pull the outer lever to release the card.
Page 156: Replace A Pa-7000 Series Network Processing Card (Npc)
Tighten the thumb screws on each side of the LFC to secure it to the chassis. Replace a PA-7000 Series Network Processing Card (NPC) If a Network Processing Card (NPC) fails, the card will reboot and aempt to recover. If the card does not recover, it will change to a down state.
Page 157 NPC. • Replace PA-7000 Series Firewall NPC in a Single Chassis • Replace PA-7000 Series Firewall NPC in a High Availability (HA) Conﬁguraon • PA-7000 Series Front Slot and Card States • PA-7000 Series Firewall Network Processing Card (NPC) Troubleshoong Commands...
Page 158 Service the PA-7000 Series Firewall Hardware STEP 4 | Remove the NPC using the appropriate procedure below depending on the version of the installed NPC. There are two versions of the PA-7000 20G NPC as described in PA-7000 NPC. Version 1 has a black slide switch on each side of the card that is used to release the ejector lever.
Page 159 Service the PA-7000 Series Firewall Hardware ejector levers. Wait for the green power LED to go oﬀ and then pull the release lever toward you to pull the card out of the chassis. The following images show the two versions of the PA-7000 20G NPCs.
Page 160 Service the PA-7000 Series Firewall Hardware Figure 19: Install or Remove a PA-7000 20G Version 2 NPC STEP 5 | Remove the replacement NPC from the anstac bag and slide it into the empty slot, ensuring that the handles are in the open posion. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place.
Page 161 PA-7000 Series Firewall Network Processing Card (NPC) Troubleshoong Commands. Replace PA-7000 Series Firewall NPC in a High Availability (HA) Conﬁguraon When HA is conﬁgured on the ﬁrewall, the ﬁrewall is designed to allow the inseron of new Network Processing Cards (NPCs) without causing a failover. This is accomplished by the system not allowing a new card to come up in one chassis unl an NPC is installed in the same slot on the...
Page 162 Service the PA-7000 Series Firewall Hardware STEP 2 | Make note of the cable connecons and then loosen the screws on each side of the card that secure the NPC to the chassis. Releasing the eject levers on the NPC triggers a micro switch that powers down the card to prepare it for removal.
Page 163 For slot status informaon and troubleshoong, see the following secons: PA-7000 Series Front Slot States PA-7000 Series Firewall Network Processing Card (NPC) Troubleshoong Commands. PA-7000 Series Front Slot and Card States You can view the slot and card status informaon on a PA-7000 ﬁrewall using the web interface or the command line interface (CLI).
Page 164 The card has failed and needs to be replaced. Unsupported The card is not a supported type for this slot. PA-7000 Series Firewall Network Processing Card (NPC) Troubleshoong Commands The following table describes common commands that you can use to troubleshoot NPC issues on a PA-7000 Series ﬁrewall.
Page 165 Service the PA-7000 Series Firewall Hardware Purpose Command stays powered oﬀ, even aer a chassis reboot. Enable a slot so the NPC can admin@PA-7080> request pass traﬃc. chassis enable slot <slot-number> Enable new NPCs on In an HA conﬁguraon, you must install the same number and...
Page 166: Replace A Pa-7000 Series Smc Boot Drive
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series SMC Boot Drive The ﬁrst generaon switch management cards (PA-7050-SMC and PA-7080-SMC) come with an mSATA solid-state drive (SSD) that contains the PAN-OS boot images and conﬁguraon ﬁles. If your PAN-OS conﬁguraon ﬁle is too large to ﬁt on the pre-installed SSD, you can replace the stock SSD with the PAN-PA-7000-MSATA-IMG.
Page 167 Service the PA-7000 Series Firewall Hardware STEP 6 | Gently press the two clips to release the mSATA. Once the mSATA pops up, carefully remove it from the socket. STEP 7 | Carefully place the new mSATA into the socket. Ensure that the label displaying the Palo Alto Networks SKU and bar codes is facing up.
Page 168 Service the PA-7000 Series Firewall Hardware STEP 11 | Boot the chassis with the new mSATA installed. When prompted, log in and reset the ﬁrewall to factory default sengs. Aer the reset operaon is complete, load your preferred version and conﬁguraon of PAN-OS.
Page 169: Replace A Pa-7000 Series Firewall Lpc Drive
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall LPC Drive The Log Processing Card (LPC) contains four Advanced Mezzanine Cards (AMCs) used to house one 2.5” SATA drive each. The ﬁrst two drives (A1 and A2) are conﬁgured in a RAID 1 array and the second two drives (B1 and B2) are conﬁgured in a second RAID 1 array.
Page 170 Service the PA-7000 Series Firewall Hardware system raid slot s7 remove A2 This procedure is based on a PA-7080 ﬁrewall where the LPC is installed in slot s7. If you are working on a PA-7050 ﬁrewall, the LPC is installed in slot s8. For a PA-7050 ﬁrewall, replace slots7 with slot s8 in those commands that specify the LPC slot...
Page 171 Service the PA-7000 Series Firewall Hardware STEP 4 | Gently pull the AMC release handle of the failed drive toward you unl it stops to unlock the AMC from the chassis and then completely remove the AMC. The FAULT LED on the AMC that contains the failed drive will show red.
Page 172 Service the PA-7000 Series Firewall Hardware STEP 5 | Remove the replacement drive from the packaging and compare the drive model on the label with the drive model of the failed drive. Proceed as follows based on your ﬁndings: • If the replacement drive is the same model number of the failed drive that you removed, then connue to 6.
Page 173 Service the PA-7000 Series Firewall Hardware STEP 6 | (Same model replacement drive only) Install a replacement drive that is the same model as the other drive in the RAID 1 array: 1. Pull the AMC handle on the replacement drive outward unl it stops to prepare it for installaon into the LPC.
Page 174 Service the PA-7000 Series Firewall Hardware STEP 7 | (Diﬀerent model replacement drive only) Install a replacement drive that is a diﬀerent model than the other drive in the RAID 1 array: When you iniate the copy command as described in the following steps, logging and log query will not be available on the drive array unl the copy is complete and the disk...
Page 175 Service the PA-7000 Series Firewall Hardware 6. Install the second replacement drive. In this example, physically remove the drive from slot A1 and then install the second replacement drive—one that is the same model as you installed in slot A2—into slot A1.
Page 176: Re-Index The Lpc Drives
ﬁrewall using the console port because you will shut down all NPCs to avoid generang new traﬃc logs during indexing. STEP 1 | Aer replacing an LPC as described in Replace a PA-7000 Series Log Processing Card (LPC), power on the chassis. STEP 2 | If the ﬁrewall is in a high availability (HA) conﬁguraon, run the following commands to...
Page 177 Service the PA-7000 Series Firewall Hardware chassis admin-power-off slot <slot-number> For example, if there is an NPC in slot 1, run the following command: admin@PA-7050> request chassis admin-power-off slot s1 Do the same for each installed NPC unl all NPCs show AdminPowerOff. This ensures that network traﬃc will not traverse the ﬁrewall during indexing.
Page 178 Service the PA-7000 Series Firewall Hardware STEP 7 | If you powered oﬀ the NPCs, power them back on by running the following commands: To view the status of each NPC: admin@PA-7050> show chassis status For each NPC that is in the AdminPowerOff state, run the following command: admin@PA-7050>...
Page 179 Service the PA-7000 Series Firewall Hardware EDM-Vsys5-Sec-Pol-2 allow EDM-Vwire-Vsys5 10.5.40.161 aged-out You can also use the web interface to view logs. For example, to view the traﬃc logs, select Monitor > Logs > Traﬃc. PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 180: Replace A Pa-7050-Smc-B Or Pa-7080-Smc-B Drive
Service the PA-7000 Series Firewall Hardware Replace a PA-7050-SMC-B or PA-7080-SMC-B Drive The PA-7050-SMC-B and PA-7080-SMC-B have two SSD drives in a RAID 1 conﬁguraon. This conﬁguraon provides redundancy so if a drive in a RAID 1 array fails there is no unplanned service interrupon or loss of data.
Page 181 Service the PA-7000 Series Firewall Hardware Drive id Sys2 degraded panrepo clean Drive id Sys1 active sync Drive id Sys2 degraded swap clean Drive id Sys1 active sync Drive id Sys2 degraded STEP 2 | Run the following command to shut down the ﬁrewall: admin@PA-7080>...
Page 182 Service the PA-7000 Series Firewall Hardware STEP 5 | Remove the failed SMC-B from the chassis. The following images show the ﬁrst-generaon SMCs; the procedure is the same for the second-generaon SMCs (SMC-B). PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc.
Page 183 Service the PA-7000 Series Firewall Hardware STEP 6 | Remove the failed drive (Sys 2 in this example). Turn the screw on the SSD drive slot door counter-clockwise and then remove the door. Pull the failed drive out of the SSD drive slot.
Page 184 Service the PA-7000 Series Firewall Hardware STEP 7 | Insert the replacement drive (into the Sys 2 slot in this example), reinstall the drive slot door and turn the door screw clockwise unl ght. STEP 8 | Reinstall the SMC-B into the chassis.
Page 185: Increase The Pa-7000 Series Firewall Lpc Log Storage Capacity
You can replace the 1TB drives with 2TB drives to double the log storage capacity to 4TBs. The logs on the 1TB drives will not be available aer upgrading drives on a PA-7000 Series ﬁrewall that is running a PAN-OS 7.0.7 or earlier release. Even if this is acceptable, we recommend that you perform this upgrade during a maintenance window.If it is important...
Page 186 Service the PA-7000 Series Firewall Hardware status : active sync card serial : 002901000067 Disk id A2 Present model : ST91000640NS size : 953869 MB status : active sync card serial : 002901000369 Disk Pair S7B Available Status clean Disk id B1...
Page 187 Service the PA-7000 Series Firewall Hardware system raid slot s7 remove A1 This procedure is based on a PA-7080 ﬁrewall where the LPC is installed in slot s7. If you are working on a PA-7050 ﬁrewall, the LPC is installed in slot s8. For a PA-7050 ﬁrewall, replace slot s7 with slot s8 in those commands that...
Page 188 Service the PA-7000 Series Firewall Hardware 3. Remove a new 2TB drives from the packaging and pull the AMC handle out to prepare it for installaon into the LPC. Install the drive into the empty drive slot (A1 in this example) and then push in the release handle on the AMC to lock it to the chassis.
Page 189 Service the PA-7000 Series Firewall Hardware system raid detail Connue running this command to view the RAID detail output unl you see that the array (A1/A2 in this example) shows Available. At this point, drive A2 will show not in use because there is a drive size mismatch.
Page 190 Service the PA-7000 Series Firewall Hardware card serial : 002901000064 To upgrade the B1/B2 drive array, repeat these procedures replacing the drive designators. For example, replace A1 with B1 and A2 with B2 to upgrade the drives in the B1/B2 RAID 1 array.
Page 191 Service the PA-7000 Series Firewall Hardware :admin@PA-7080> request system raid slot s7 remove A2 This procedure is based on a PA-7080 ﬁrewall where the LPC is installed in slot s7. If you are working on a PA-7050 ﬁrewall, the LPC would be installed in slot s8.
Page 192 Service the PA-7000 Series Firewall Hardware 3. Remove two 2TB drives from their packaging and pull the AMC handle out on each drive to prepare them for installaon into the LPC. Install the drives into the empty slots (A1 and A2) and then push in the release handle on each AMC to lock the AMCs to the chassis.
Page 193 Service the PA-7000 Series Firewall Hardware system raid detail The following output shows that the S7A array is Available. At this point, drive A2 will show not in use because you have not added it to the new RAID 1 array conﬁguraon.
Page 194 Service the PA-7000 Series Firewall Hardware PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 195: Pa-7000 Series Firewall SpecificaOns
ﬁlter are listed separately for each model. View the Datasheet informaon on features, performance, and capacity numbers. > PA-7000 Series Firewall Physical Speciﬁcaons > PA-7000 Series Firewall Electrical Speciﬁcaons > PA-7000 Series Firewall Environmental Speciﬁcaons...
Page 196: Pa-7000 Series Firewall Physical SpecificaOns
PA-7000 Series Firewall Speciﬁcaons PA-7000 Series Firewall Physical Speciﬁcaons The following table describes PA-7050 and PA-7080 ﬁrewall physical speciﬁcaons. Speciﬁcaon Value Height • PA-7050 ﬁrewall—15.75 inches (40 cm) 9U • PA-7050 ﬁrewall with air ﬂow kit installed (PAN-AIRDUCT)— 24.5 inches (62.23 cm) 14U •...
Page 197 • LPC fully loaded with four AMCs—8.8 lbs (3 kg 991.61 g) • Log Forwarding Card (LFC)—9.5 lbs (4 kg 309.13) Fan tray • PA-7050 First-generaon fan tray • PA-7050-FANTRAY—9.8 lbs (4 kg 445.20 g) PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 198 • PA-7080 ﬁrewall—Up to eight AC or DC supplies. The AC and DC power supplies are hot#swappable. The power supplies are not interchangeable between the PA-7050 and PA-7080 ﬁrewalls. For power conﬁguraon planning, see PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 199: Pa-7000 Series Firewall Electrical SpecificaOns
PA-7000 Series Firewall Speciﬁcaons PA-7000 Series Firewall Electrical Speciﬁcaons Use the following topics to learn about the PA-7000 Series ﬁrewall electric speciﬁcaons and the types of power cords you can use. • PA-7000 Series Firewall Component Electrical Speciﬁcaons • PA-7000 Series Firewall Power Cord Types PA-7000 Series Firewall Component Electrical Speciﬁcaons...
Page 200: Pa-7000 Series Firewall Power Cord Types
• Output Power— +2500 Was PA-7000 Series Firewall Power Cord Types The PA-7000 Series ﬁrewalls ship with four AC or four DC power supplies by default. On the PA-7080 ﬁrewall, you can order up to four addional power supplies (eight total) and power cords are included with each AC power supply.
Page 201 Power Cord, North America, 15A, 250V, IEC C19 to IEC C14, 10 PAN-PWR-C19-US-120V Power Cord, North America, 15A, 125V, C19 to NEMA 5-15P, 10 PAN-PWR-C19-JP-120V Power Cord, Japan, 15A, 125V, JISC8303 to C19, 10, PSE Cerﬁed PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...
Page 202: Pa-7000 Series Firewall Environmental SpecificaOns
PA-7000 Series Firewall Speciﬁcaons PA-7000 Series Firewall Environmental Speciﬁcaons The following table describes PA-7050 and PA-7080 ﬁrewall environmental speciﬁcaons. Speciﬁcaon Value Operang temperature range 0° to 50°C (32°F to 122°F) Storage temperature range -20° to 70°C (-4°F to 158°F) Humidity 5% to 90% non-condensing Chassis airﬂow...
Page 203: Pa-7000 Series Firewall Hardware Compliance Statements
Our products meet standards for product safety and electromagnec compability when used for their intended purpose. To view compliance statements for the PA-7000 Series ﬁrewalls, see PA-7000 Series Firewall Compliance...
Page 204: Pa-7000 Series Firewall Compliance Statements
PA-7000 Series Firewall Hardware Compliance Statements PA-7000 Series Firewall Compliance Statements The following are the PA-7000 Series ﬁrewall hardware compliance statements: • VCCI This secon provides the compliance statement for the Voluntary Control Council for Interference by Informaon Technology Equipment (VCCI), which governs radio frequency emissions in Japan.
Page 205 PA-7000 Series Firewall Hardware Compliance Statements • BSMI EMC Statement—User warning: This is a Class A product. When used in a residenal environment it may cause radio interference. In this case, the user will be required to take adequate measures.
Page 206 PA-7000 Series Firewall Hardware Compliance Statements PA-7000 Series Firewall Hardware Reference 2021 Palo Alto Networks, Inc. ©...

PaloAlto Networks PA-7000 Series Hardware Reference Manual

Quick Links

Need help?

Questions and answers

Related Manuals for PaloAlto Networks PA-7000 Series

Summary of Contents for PaloAlto Networks PA-7000 Series

Table of Contents