Page 1 PA-7000 Series Firewall Hardware Reference docs.paloaltonetworks.com...
Page 2 Contact Information Corporate Headquarters: Palo Alto Networks 3000 Tannery Way Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-support About the Documentation • For the most recent version of this guide or for access to related documentation, visit the Technical Documentation portal docs.paloaltonetworks.com. • To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html. •...
Page 3: Table Of Contents
Table of Contents Before You Begin....................7 Upgrade/Downgrade Considerations for Firewalls and Appliances........8 Tamper Proof Statement......................9 Third-Party Component Support...................10 Product Safety Warnings......................11 PA-7000 Series Firewall Overview............. 15 PA-7050 Front and Back Panel Descriptions..............16 PA-7050 Front Panel (AC)...................16 PA-7050 Back Panel (AC)....................19 PA-7050 Front Panel (DC)..................
Page 4 Table of Contents PA-7000 Series Firewall Rack Install Safety Information........70 Install the PA-7050 Firewall in the Mid-Mount Position........70 Install the PA-7050 Firewall in the Front-Mount Position........72 Install the PA-7080 Firewall in the Mid-Mount Position........76 Install the PA-7080 Firewall in the Front-Mount Position........79 Install the Mandatory PA-7000 Series Firewall Front Slot Cards........83 Install a PA-7000 Series Switch Management Card..........83 Install a PA-7000 Series Firewall Log Card.............88...
Page 5 Table of Contents Replace a PA-7000 Series Firewall LPC Drive..............183 Re-Index the LPC Drives...................... 190 Replace a PA-7050-SMC-B or PA-7080-SMC-B Drive..........194 Increase the PA-7000 Series Firewall LPC Log Storage Capacity.......199 PA-7000 Series Firewall Specifications........... 209 PA-7000 Series Firewall Physical Specifications.............210 PA-7000 Series Firewall Electrical Specifications............213 PA-7000 Series Firewall Component Electrical Specifications......213 PA-7000 Series Firewall Power Cord Types............
Page 7: Before You Begin
Before You Begin Read the following topics before you install or service a Palo Alto Networks next-generation ® firewall or appliance.The following topics apply to all Palo Alto Networks firewalls and appliances except where noted. • Upgrade/Downgrade Considerations for Firewalls and Appliances •...
Page 8: Upgrade/Downgrade Considerations For Firewalls And Appliances
Before You Begin Upgrade/Downgrade Considerations for Firewalls and Appliances The following table lists all hardware features that have upgrade or downgrade impact. Make sure you understand all upgrade/downgrade considerations before you upgrade or downgrade from the specified version of PAN-OS. Feature Release Upgrade Considerations...
Page 9: Tamper Proof Statement
Before You Begin Tamper Proof Statement To ensure that products purchased from Palo Alto Networks were not tampered with during shipping, verify the following upon receipt of each product: • The tracking number provided to you electronically when ordering the product matches the tracking number that is physically labeled on the box or crate.
Page 10: Third-Party Component Support
Before You Begin Third-Party Component Support Before you consider installing third-party hardware, read the Palo Alto Networks Third-Party Component Support statement. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 11: Product Safety Warnings
Before You Begin Product Safety Warnings To avoid personal injury or death for yourself and others and to avoid damage to your Palo Alto Networks hardware, be sure you understand and prepare for the following warnings before you install or service the hardware. You will also see warning messages throughout the hardware reference where potential hazards exist.
Page 12 Before You Begin • (All Palo Alto Networks appliances) Caution: Hot surface Hardware components are hot and can cause burnt hands and fingers. Wait at least one-half hour after switching power off to handle the hardware. • (All Palo Alto Networks appliances with two or more power supplies) Caution: Shock hazard...
Page 13 Before You Begin ventilateurs d’arrêter de tourner et permet d’éviter des blessures graves lors du retrait du tiroir. Vous pouvez remplacer un tiroir de ventilation lors de la mise sous tension du pare-feu. Toutefois, vous devez le faire dans les 45 secondes et vous ne pouvez remplacer qu’un tiroir à...
Page 14 Before You Begin • Install all firewalls that use DC power in restricted access areas only. A restricted access area is where access is granted only to craft (service) personnel using a special tool, lock and key, or other means of security, and that is controlled by the authority responsible for the location. French Translation: Tous les pare-feux utilisant une alimentation c.c.
Page 15: Pa-7000 Series Firewall Overview
PA-7000 Series Firewall Overview The PA-7000 Series firewalls (PA-7050 and PA-7080) are high performance modular firewalls designed for large enterprise and carrier class environments. These multi-blade chassis can leverage either AC or DC power and have hot-swappable Network Processing Cards (NPCs) to allow for expansion as needs grow.
Page 16: Pa-7050 Front And Back Panel Descriptions
PA-7000 Series Firewall Overview PA-7050 Front and Back Panel Descriptions • PA-7050 Front Panel (AC) • PA-7050 Back Panel (AC) • PA-7050 Front Panel (DC) • PA-7050 Back Panel (DC) PA-7050 Front Panel (AC) The following image shows the front panel of the PA-7050 firewall (with AC power supplies installed) and the table describes each front panel component.
Page 17 PA-7000 Series Firewall Overview Item Component Description • PA-7050-FAN—First-generation fan tray. These fan trays are interchangeable, so you can install them in either fan tray slot. • PA-7050-FANTRAY-L-A (left) and PA-7050- FANTRAY-R-A (right)—Second-generation fan tray that provides more cooling capacity than the first- generation fan tray.
Page 18 PA-7000 Series Firewall Overview Item Component Description The PAN-OS software is preinstalled on the ® embedded solid-state drive (SSD) on the SMC. Air filter Filters air entering the chassis. Periodically inspect the filter to ensure it is clean. The filter is not designed to be cleaned and it is recommended that you replace it every six months (depending on the environment).
Page 19: Pa-7050 Back Panel (Ac)
PA-7000 Series Firewall Overview Item Component Description Electrostatic Discharge Provides a grounding point that you use when removing (ESD) ports or installing chassis components. Secure the provided wrist strap end of the ESD strap around your wrist and plug the other end into one of the ESD ports. PA-7050 Back Panel (AC) The following image shows the back panel of the PA-7050 firewall (with AC power supplies installed) and the table describes each back panel component.
Page 20: Pa-7050 Front Panel (Dc)
PA-7000 Series Firewall Overview Item Component Description Power Entry Module Connects the power source to the power supplies located (PEM) AC power inlets on the front of the chassis. The front power supplies distribute power to all chassis components. The AC PEM contains four 20-amp AC power inlets—each accompanied by a switch—one pair, inlet with switch, for each power supply.
Page 21: Pa-7050 Back Panel (Dc)
PA-7000 Series Firewall Overview PA-7050 Back Panel (DC) The following image shows the back panel of the PA-7050 firewall (with DC power supplies installed). The AC inlets and switches are not functional and must remain covered using the provided cover plate. The only differences between the back panel of the AC model and the back panel of the DC model is that the DC model does not have a Power Entry Modules (PEM);...
Page 23: Pa-7080 Front And Back Panel Descriptions
PA-7000 Series Firewall Overview PA-7080 Front and Back Panel Descriptions • PA-7080 Front Panel (AC) • PA-7080 Back Panel (AC) • PA-7080 Front Panel (DC) • PA-7080 Back Panel (DC) PA-7080 Front Panel (AC) The following image shows the front panel of the PA-7080 firewall (with AC power supplies installed) and the table describes each front panel component.
Page 25 PA-7000 Series Firewall Overview Item Component Description Exhaust fan tray Provides ventilation and cooling for the chassis. The fan trays are interchangeable, so you can install them in either fan tray slot. During normal operation, the Power LED is green and the Fault LED is off.
Page 26 PA-7000 Series Firewall Overview Item Component Description • LPC—Manages and stores all dataplane logs generated by the firewall. The LPC contains four disk drives that are configured in two separate RAID 1 pairs to provide redundancy. Each drive is installed in an Advanced Mezzanine Card (AMC), which physically connects the drive to the LPC.
Page 27: Pa-7080 Back Panel (Ac)
PA-7000 Series Firewall Overview Item Component Description Air intake vent Provides air circulation for chassis cooling. Do not obstruct this vent. AC power supplies Provides power to the chassis using an AC power source. For information on connecting power, see Connect Power to a PA-7000 Series Firewall.
Page 28 PA-7000 Series Firewall Overview Item Component Description Exhaust vent Provides air circulation for chassis cooling. Do not obstruct this vent. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 29: Pa-7080 Front Panel (Dc)
PA-7000 Series Firewall Overview Item Component Description Ground stud Two-post stud used to ground the chassis to earth ground. Use the provided 6 AWG two#post ground lug to connect a grounded cable (not included) to the two#post stud. Power Entry Module Connects the power source to the power supplies located (PEM) AC power inlets on the front of the chassis.
Page 30: Pa-7080 Back Panel (Dc)
PA-7000 Series Firewall Overview PA-7080 Back Panel (DC) The following image shows the back panel of the PA-7080 firewall (with DC power supplies installed). The only differences between the back panel AC model and the back panel DC model is that the DC model has two DC Power Entry Modules (PEMs) instead of two AC PEMs.
Page 31 PA-7000 Series Firewall Overview contains two terminal strips, which connect eight wires (4 red positive and 4 black negative). The DC PEMs are field replaceable. For information on replacing a DC PEM, see Replace a PA-7080 DC PEM and for descriptions of the back panel components, see PA-7080 Back Panel (AC).
Page 33: Pa-7000 Series Firewall Module And Interface Card Information
PA-7000 Series Firewall Module and Interface Card Information The PA-7000 Series firewalls are modular systems and requires a minimum set of front slot cards. The required cards include the Switch Management Card (SMC), Log Processing Card (LPC) or Log Forwarding Card (LFC), and at least one Network Processing Card (NPC). To expand port density and throughput, you can install a total of six NPCs in the PA-7050 firewall and ten NPCs in the PA-7080 firewall.
Page 34: Pa-7000 Series Firewall Switch Management Cards (Smcs)
PA-7000 Series Firewall Module and Interface Card Information PA-7000 Series Firewall Switch Management Cards (SMCs) The PA-7000 Series Switch Management Card (SMC) provides: switch fabric management for the chassis, system management access, stores PAN-OS, the firewall configuration, and management logs. It also includes ports for high availability (HA) connectivity and LED indicators that provides status of the chassis components.
Page 35 PA-7000 Series Firewall Module and Interface Card Information same install and release levers as the LPC—version 1 does not; and the USB port is in a different location. There are no functional differences between the two versions. Figure 1: PA-7050 Version 1 SMC, First Generation Figure 2: PA-7050 Version 2 SMC, First Generation Figure 3: PA-7080 SMC, First Generation Item...
Page 36 PA-7000 Series Firewall Module and Interface Card Information Item Component Description You cannot configure HA1 (control) on NPC data ports or the MGT port. Ethernet 10/100/1000Mbps port used to access the management interface. To manage the firewall, change your management computer IP address to 192.168.1.2, connect an RJ-45 cable from your computer to the MGT port and browse to https:// 192.168.1.1.
Page 37 PA-7000 Series Firewall Module and Interface Card Information Item Component Description You can configure HA2 (data link) on the HSCI ports or on NPC data ports. When configuring on dataplane ports, you must ensure that both the HA2 and HA2-Backup links are configured on dataplane interfaces.
Page 38: Pa-7000 Series Firewall Smc-B Component Descriptions
PA-7000 Series Firewall Module and Interface Card Information PA-7000 Series Firewall SMC-B Component Descriptions The following image shows the second-generation SMC (PA-7050 SMC-B and PA-7080 SMC-B), and the tables describe each SMC component. Figure 4: PA-7050-SMC-B Figure 5: PA-7080-SMC-B Item Component Description MGT-A and MGT-B...
Page 39 PA-7000 Series Firewall Module and Interface Card Information Item Component Description HSCI-A and HSCI-B Two 40Gbps QSFP+/100Gbps QSFP28 ports as defined (High Speed Chassis by the IEEE 802.3ba standard. The link speed is based Interconnect) on the installed transceiver. Use this port to connect two PA-7000 Series firewalls in a high availability (HA) configuration as follows: •...
Page 40 PA-7000 Series Firewall Module and Interface Card Information Item Component Description The console connection provides access to firewall boot messages, the Maintenance Recovery Tool (MRT), and the command line interface (CLI). If your management computer does not have a serial port, use a USB-to-serial converter. Use the following settings to configure your terminal emulation software to connect to the console port:Data rate: 9600Data bits: 8Parity: NoneStop bits: 1Flow...
Page 41: Pa-7000 Series Firewall Smc-B Requirements
PA-7000 Series Firewall Module and Interface Card Information Item Component Description screws, pull the inner lever toward you to unlock the outer lever from the chassis and then pull the outer lever toward you to release the card from the chassis. The left and right inner levers have micro-switches that power off the card when they are pulled.
Page 42 PA-7000 Series Firewall Module and Interface Card Information First-Generation SMC (PA-7050-SMC and Second-Generation SMC (PA-7050-SMC-B PA-7080-SMC) and PA-7080-SMC-B) State Description PWR (POWER) Green The chassis is powered. The chassis power is off. STS (STATUS) Green The chassis is operating normally. Yellow The chassis is booting up.
Page 43 PA-7000 Series Firewall Module and Interface Card Information State Description There is a hardware failure, which may include the following: (Alarm) • Voltage issue. • Power supply detected but not operational. • Fan failure. • Hard drive failure. • Temperature above high temperature threshold. You may also see varying behavior for the ALM LED in an HA configuration as follows: •...
Page 44 PA-7000 Series Firewall Module and Interface Card Information State Description PA-7080-SMC- Enter the following command to view the status of the SVC LED on all cards that have this LED: admin@PA-7080> show system service-led status Service LED Slot Description Status s1 ...
Page 45 PA-7000 Series Firewall Module and Interface Card Information Description Left The LED is solid green if there is a network link. Right The LED blinks green if there is network activity. The following table describes the functions and states of the SMC HA1-A and HA1-B port LEDs. Description Left The LED is solid green if there is a network link.
Page 46: Pa-7000 Series Firewall Log Cards
PA-7000 Series Firewall Module and Interface Card Information PA-7000 Series Firewall Log Cards The PA-7000 Series firewalls support two log card models: the Log Processing Card (LPC) and the Log Forwarding Card (LFC). The difference between the LPC and the LFC is that the LPC stores logs locally and forward logs;...
Page 47 PA-7000 Series Firewall Module and Interface Card Information Item Component Description Log Processing Card (LPC) that processes all logs and then stores the logs on the four Advanced Mezzanine Cards (AMCs) that contain one disk drive each. Four Advanced Mezzanine Cards (AMCs) and drives used for log storage.
Page 48: Pa-7000 Series Firewall Log Forwarding Card (Lfc)
PA-7000 Series Firewall Module and Interface Card Information Interpret the PA-7000 Series Firewall AMC LEDs Use the following information to learn how to interpret the LED dashboard located on the front of the AMC. The Log Processing Card (LPC) does not have LEDs. If there is a hardware issue with the LPC, the LOG LED on the Switch Management Card (SMC) changes to red and the firewall generates a system log.
Page 49 PA-7000 Series Firewall Module and Interface Card Information Item Component Description QSFP+ ports Two quad small form-factor pluggable (QSFP+) 10Gbps/40Gbps Ethernet interfaces as defined by the IEEE 802.3ba standard. The two physical QSFP+ interfaces operate at 40Gbps each. The firewall uses the ports to forward all dataplane logs to an external system, such as Panorama, Firewall Data Lake, or a syslog server.
Page 50 PA-7000 Series Firewall Module and Interface Card Information Item Component Description In both of the above deployments, the linked device must be set to use LAG for all ports attached to the LFC. The LFC does not currently support LACP. Ports 1 and 9 share the same LED and ports 5 and 10 share the same LED.
Page 51 PA-7000 Series Firewall Module and Interface Card Information State Description PWR (POWER) Green The LFC is powered. The LFC power is off. STS (STATUS) Green The LFC is operating normally. Yellow The LFC is booting up. There is a hardware failure, which may include the following: (Alarm) •...
Page 52 PA-7000 Series Firewall Module and Interface Card Information State Description s1 empty Off s2 empty Off s3 PA-7000-100G-NPC Off s4 empty Off s5 empty Off s6 PA-7080-SMC-B On s7 PA-7000-LFC On s8 empty Off s9 empty Off s10 empty Off s11 ...
Page 53 PA-7000 Series Firewall Module and Interface Card Information Description QSFP LEDs These LEDs indicate link and activity. The color of the LED indicates the port speed. • Green—The port is operating at 10Gbps • Yellow—The port is operating at 40Gbps To learn about the orientation of the LED indicators, see Identify PA-7000 Series NPC Port Activity and Link...
Page 54: Pa-7000 Series Firewall Network Processing Cards (Npcs)
PA-7000 Series Firewall Module and Interface Card Information PA-7000 Series Firewall Network Processing Cards (NPCs) Network Processing Cards (NPCs) provide network connectivity for a PA-7000 Series firewall. To scale performance and capacity, you can install up to six NPCs in a PA-7050 firewall and up to ten NPCs in a PA-7080 firewall.
Page 55 PA-7000 Series Firewall Module and Interface Card Information PA-7000 20G NPC Component Descriptions The following images show the two types of PA-7000 20G NPCs and the table describes the NPC components. The only difference between the two versions is the levers used to install and remove the cards.
Page 56 PA-7000 Series Firewall Module and Interface Card Information Item Component Description NPC installation and • Screws, lever release latches, and ejector levers used removal hardware to install and remove a version 1 NPC card. The lever release latches on each side slides upward to release the levers used to eject the card from the chassis.
Page 57: Pa-7000 20Gxm Npc
PA-7000 Series Firewall Module and Interface Card Information State Description Green The card temperature is normal. (Temperature) Yellow The card temperature is outside the temperature tolerance. The following table describes the functions and states of the Ethernet and SFP Port LEDs Description Left The LED is solid green if there is a network link.
Page 58 PA-7000 Series Firewall Module and Interface Card Information The PA-7000 Series firewall must have PAN-OS 7.0 or later installed to use the PA-7000-20GQ-NPC. If you purchase a PA-7050 firewall running a PAN-OS 6.1 or earlier release and you only have a PA-7000-20GQ available (or, if you have more than one NPC and all are this model), refer to KB article 9729 before attempting to upgrade to a PAN-OS 7.0 or later...
Page 59 PA-7000 Series Firewall Module and Interface Card Information Interpret the PA-7000 20GQ NPC LEDs Use the following information to learn how to interpret the LED dashboard and port LEDs located on the PA-7000 20GQ Network Processing Card (NPC). The following table describes the functions and states of the NPC LED dashboard. State Description Green...
Page 60: Pa-7000 20Gqxm Npc
PA-7000 Series Firewall Module and Interface Card Information PA-7000 20GQXM NPC The difference between this NPC and the PA-7000 20GQ NPC is that the PA-7000 20GQ NPC supports up to 4 million sessions and the PA-7000 20GQXM NPC supports up to 8 million sessions.
Page 61 PA-7000 Series Firewall Module and Interface Card Information Item Component Description To properly breakout the QSFP ports, your transceiver must be either the PAN-QSFP-40GBASE-SR4 or PAN- QSFP28-100GBASE-SR4, and you must use an appropriate passive breakout cable. LED dashboard Five LEDs that provide NPC status. For details on the LEDs, see Interpret the PA-7000 100G NPC LEDs.
Page 62 PA-7000 Series Firewall Module and Interface Card Information State Description Green The card temperature is normal. (Temperature) Yellow The card temperature is outside the temperature tolerance. Allows a remote administrator to illuminate the SVC LED on a specific front-slot (Service) card so an on-site technician can locate the card.
Page 63 PA-7000 Series Firewall Module and Interface Card Information State Description LED is solid blue. The following table describes functions and states of the SFP+ port LEDs. Description Left The LED shows green if there is a network link. Right Blinks green or stays green if there is network activity. The following table describes functions and states of the QSFP28 port LEDs.
Page 64: Identify Pa-7000 Series Npc Port Activity And Link Leds
PA-7000 Series Firewall Module and Interface Card Information • (PA-7080 only) Install the PA-7080 Firewall EMI Filter to reduce electromagnetic interference. Identify PA-7000 Series NPC Port Activity and Link LEDs The following image shows how to identify the activity and link LEDs for the port types available on PA-7000 Series firewall NPCs.
Page 65: Pa-7000 Series Firewall Data Processing Card (Dpc)
PA-7000 Series Firewall Module and Interface Card Information PA-7000 Series Firewall Data Processing Card (DPC) The PA-7000 Series Data Processing Card (PA-7000-DPC-A) is an optional interface card that can be installed to improve the processing capacity of the chassis. Similar in physical design to the PA-7000 100G NPC, the DPC offers scalability in the form of four additional data plane instances.
Page 66 PA-7000 Series Firewall Module and Interface Card Information State Description The card hardware failed. (Alarm) The card is operating normally. Green The card temperature is normal. (Temperature) Yellow The card temperature is outside the temperature tolerance. Allows a remote administrator to illuminate the SVC LED on a specific front-slot (Service) card so an on-site technician can locate the card.
Page 67 PA-7000 Series Firewall Module and Interface Card Information State Description admin@PA-7080> set system setting service-led enable slo t s3 yes LED is off. LED is solid blue. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 68 PA-7000 Series Firewall Module and Interface Card Information PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 69: Pa-7000 Series Firewall Installation
PA-7000 Series Firewall Installation The PA-7000 Series firewalls are modular systems that require you to install several components, such as network cards, during the installation process. Due to the weight of the firewalls, we recommend that you first install the firewall chassis into the rack and then install the front slot cards.
Page 70: Pa-7000 Series Firewall Equipment Rack Installation
PA-7000 Series Firewall Installation PA-7000 Series Firewall Equipment Rack Installation PA-7000 Series firewalls are designed for installation in a standard 19-inch equipment rack in a mid-mount or front-mount position. Before you install the hardware, read PA-7000 Series Firewall Rack Install Safety Information.
Page 71 PA-7000 Series Firewall Installation STEP 2 | (Optional) Install the mid-mount cable management brackets using the fives screws included with the bracket. STEP 3 | Position the chassis into the rack using two or more people and if available, use a mechanical equipment lift.
Page 72: Install The Pa-7050 Firewall In The Front-Mount Position
PA-7000 Series Firewall Installation STEP 5 | Attach the rack-mount brackets to the rack using rack-mount screws (not provided) and tighten with a screwdriver. Install four screws on each side of the chassis. Install the PA-7050 Firewall in the Front-Mount Position The following procedures describe how to install the PA-7050 firewall in a front-mount position.
Page 73 PA-7000 Series Firewall Installation STEP 2 | Move the brackets from the mid-mount position to the front-mount position. The brackets are in two sections on each side of the chassis (the front section and the back section). Remove the six screws on each side of the chassis where the two brackets come together in the mid-mount position and then remove 25 screws to remove each of the four brackets (two brackets on each side).
Page 74 PA-7000 Series Firewall Installation Swap the front brackets, so the rack mount screw holes are now on the front of the chassis. Use 25 screws to attach each bracket to the chassis in the front position. When swapping the brackets, rotate them 180 degrees so the screw holes line up and the rack mount holes are on the front of the chassis.
Page 75 PA-7000 Series Firewall Installation STEP 3 | (Optional) Install the front-mount cable management brackets using the six screws included with the bracket. In the front-mount installation, the cable management brackets install over the chassis rack mount bracket used to mount the chassis to the rack, so it is recommended that you install the cable management bracket before installing the chassis into the rack.
Page 76: Install The Pa-7080 Firewall In The Mid-Mount Position
PA-7000 Series Firewall Installation STEP 6 | Attach the chassis brackets to the rack using the provided rack mount screws and tighten with a Phillips-head screwdriver. Install all four screws on each side of the chassis. Install the PA-7080 Firewall in the Mid-Mount Position The following procedures describe how to install the PA-7080 firewall in a mid-mount position.
Page 77 PA-7000 Series Firewall Installation STEP 2 | Remove eight screws from each front-mount bracket (one left and one right) and then remove the brackets. STEP 3 | (Optional) Install the upper and lower cable management brackets using the provided screws (8 upper bracket screws and 4 lower bracket screws).
Page 78 PA-7000 Series Firewall Installation cables. To access the screw holes on the lower bracket, open the door located at the front of the bracket as shown in the following image. STEP 4 | Position the chassis into the rack using two or more people and if available, use a mechanical equipment lift.
Page 79: Install The Pa-7080 Firewall In The Front-Mount Position
PA-7000 Series Firewall Installation rack#mount screws (not included) on each side of the chassis and tighten with a Phillips-head screwdriver. Install the PA-7080 Firewall in the Front-Mount Position The following procedure describes how to install the PA-7080 firewall in a mid-mount position. Both rack#mount bracket types (mid-mount and front-mount) are preinstalled.
Page 80 PA-7000 Series Firewall Installation STEP 2 | Remove 16 screws from each mid-mount bracket (one left and one right) and then remove the brackets. STEP 3 | (Optional) Install the upper and lower cable management brackets using the provided screws (8 upper bracket screws and 4 lower bracket screws).
Page 81 PA-7000 Series Firewall Installation cables. To access the lower bracket screw holes, open the door located at the front of the bracket as shown in the image. STEP 4 | Position the chassis into the rack using two or more people and if available, use a mechanical equipment lift.
Page 82 PA-7000 Series Firewall Installation rack#mount screws (not included) on each side of the chassis and tighten with a Phillips-head screwdriver. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 83: Install The Mandatory Pa-7000 Series Firewall Front Slot Cards
PA-7000 Series Firewall Installation Install the Mandatory PA-7000 Series Firewall Front Slot Cards The PA-7000 Series firewalls require a minimum of three cards that you install in the front slots of the chassis. These cards are shipped separately from the chassis and include the following: The Switch Management Card (SMC) provides management connectivity to the chassis and HA connectivity;...
Page 84 PA-7000 Series Firewall Installation STEP 3 | Remove the SMC from the antistatic bag and slide it into the front slot (slot 4 on a PA-7050 firewall or slot 6 on a PA-7080 firewall) until it is about 1/4-inch from being fully inserted. Ensure that the handles are in the open position.
Page 85 PA-7000 Series Firewall Installation STEP 4 | Close the handles and ensure that the SMC fully seats into the SMC slot. STEP 5 | Tighten the thumb screws on each side of the SMC to secure it to the chassis. Use a Phillips- head screwdriver if necessary.
Page 86 PA-7000 Series Firewall Installation banana clip end into one of the ESD ports located on the front of the chassis before handling ESD sensitive hardware. For details on the ESD port location, see PA-7050 Front Panel (AC) PA-7080 Front Panel (AC).
Page 87 PA-7000 Series Firewall Installation STEP 3 | Remove the SMC-B from the antistatic bag and slide it into the front slot (slot 4 on a PA-7050 firewall or slot 6 on a PA-7080 firewall) until it is about 1/4-inch from being fully inserted.
Page 88: Install A Pa-7000 Series Firewall Log Card
PA-7000 Series Firewall Installation STEP 4 | Close the handles and ensure that the SMC-B fully seats into the SMC slot. STEP 5 | Tighten the thumb screws on each side of the SMC-B to secure it to the chassis. Use a Phillips-head screwdriver if necessary.
Page 89 PA-7000 Series Firewall Installation Install the PA-7000 Series Firewall Log Processing Card (LPC) Log Processing Card (LPC) is required for chassis operation and the same LPC model is used in both the PA-7050 and PA-7080 firewalls. On a PA-7050 firewall, you must install the LPC in slot 8 and on the PA-7080 firewall, you must install the LPC in slot 7.
Page 90 PA-7000 Series Firewall Installation position. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place. The LPC has a double lever on each side of the card. After loosening the thumb screws, you must pull the inner lever toward you to unlock the outer lever from the chassis and then pull the outer lever to release the card from the chassis.
Page 91 PA-7000 Series Firewall Installation STEP 4 | Tighten the thumb screws on each side of the LPC to secure it to the chassis. Use a Phillips- head screwdriver if necessary. STEP 5 | Ensure that the handle on the front of each AMC is pulled out to the unlocked position and then install each of the four AMCs into the four slots on the LPC.
Page 92 PA-7000 Series Firewall Installation STEP 6 | After you install each AMC, push the handle in to lock the AMC in place. For more information on how to install or remove AMCs, see Replace a PA-7000 Series Firewall LPC Drive. After you power on the chassis for the first time, the firewall will format the drives and configure them in two RAID 1 configurations.
Page 93 PA-7000 Series Firewall Installation STEP 4 | Remove the LFC from the antistatic bag and slide it into the log card slot (slot 8 on a PA-7050 firewall or slot 7 on a PA-7080 firewall) ensuring that the handles are in the open PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc.
Page 94 PA-7000 Series Firewall Installation position. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place. The LFC has a double lever on each side of the card. After loosening the thumb screws, you must pull the inner lever toward you to unlock the outer lever from the chassis and then pull the outer lever to release the card from the chassis.
Page 95: Install A Pa-7000 Series Firewall Network Processing Card (Npc)
PA-7000 Series Firewall Installation STEP 5 | Tighten the thumb screws on each side of the LFC to secure it to the chassis. Use a Phillips- head screwdriver if necessary. STEP 6 | Proceed to Install a PA-7000 Series Firewall Network Processing Card (NPC).
Page 96 PA-7000 Series Firewall Installation If you plan to populate all NPC slots on the firewall, ensure that you install the appropriate number of power supplies (see Determine PA-7000 Series Firewall Power Configuration Requirements). The procedures to install NPCs in a single chassis and the procedure to install NPCs in a pair of chassis in high availability (HA) are different.
Page 97 PA-7000 Series Firewall Installation from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place. The following images show how to install NPCs. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc.
Page 98 PA-7000 Series Firewall Installation PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 99 PA-7000 Series Firewall Installation STEP 3 | Tighten the screws on each side of the card to secure the card to the chassis. The version 1 NPC has a standard Phillips-head screw and the version 2 NPC has a thumb screw that you can also tighten with a Phillips-head screwdriver.
Page 100 PA-7000 Series Firewall Installation Installing a new NPC also causes any virtual routers to restart. STEP 1 | Put the provided ESD wrist strap on your wrist ensuring that the metal contact is touching your skin. Then attach (snap) one end of the ground cable to the wrist strap and remove the alligator clip from the banana clip on the other end of the ESD grounding cable.
Page 101 PA-7000 Series Firewall Installation chassis status slot s3 If the cards are functioning properly, the status will show an output similar to the following: Slot...Component..Card Status..Config Status 3 ..PA-7000-20G-NPC .Up....Success STEP 5 | Connect the network cables and the NPCs are ready to process network traffic. Configure a Log Card Port on a PA-7000 Series Firewall A log card port is required if you configure the firewall to forward logs to an external system or if you configure a WildFire...
Page 102: Install A Pa-7000 Series Firewall Data Processing Card (Dpc)
PA-7000 Series Firewall Installation STEP 5 | Click the Log Card Forwarding tab. STEP 6 | Enter the IPv4 and/or IPv6 IP Address, Netmask, and Default Gateway. STEP 7 | Click OK and then click Commit. After the commit completes, connect the port to your network equipment.
Page 103 PA-7000 Series Firewall Installation from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place. The following images show how to install DPCs. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc.
Page 104 PA-7000 Series Firewall Installation STEP 3 | Tighten the thumb screws on each side of the card to secure the card to the chassis by hand or using a Phillips-head screwdriver. STEP 4 | Cover any empty slots with the provided blank slot covers. Each empty slot must be covered with the provided blank slot covers to ensure proper airflow and to prevent debris from entering the chassis.
Page 105 PA-7000 Series Firewall Installation STEP 6 | Ensure that the DPC's session distribution policy is set to session-load. 1. Run the following command to check the DPC's current distribution policy: admin@PA-7050> show session distribution policy 2. If the Ownership Distribution Policy reads as any value other than session-load, run the following command: admin@PA-7050>...
Page 106 PA-7000 Series Firewall Installation STEP 4 | Install the second DPC in the other chassis in the HA pair in the same slot you installed the DPC in the first chassis. For example, if you installed the first DPC in slot 3 of the first chassis, install the second DPC in slot 3 of the second chassis.
Page 107: Configure Session Distribution On A Pa-7000 Series Firewall
PA-7000 Series Firewall Installation Configure Session Distribution on a PA-7000 Series Firewall After the firewall is installed and powered on, you can review the available session distribution policies to determine if it make sense for you to change the default policy to better fit your environment.
Page 108: Connect Power To A Pa-7000 Series Firewall
PA-7000 Series Firewall Installation Connect Power to a PA-7000 Series Firewall The following topics describe how to connect power to a PA-7050 or PA-7080 firewall. Before proceeding, read PA-7000 Series Power Configuration Options Determine PA-7000 Series Firewall Power Configuration Requirements to ensure that you understand the available power options and that you provide enough power to the firewalls based on your configuration.
Page 109: Determine Pa-7000 Series Firewall Power Configuration Requirements
PA-7000 Series Firewall Installation Determine PA-7000 Series Firewall Power Configuration Requirements The number of active power supplies required to operate a PA-7000 Series firewall depends on the power input that you connect to the power supplies (120VAC, 240VAC, or -48VDC), the number of Network Processing Cards (NPCs), and your power redundancy requirement.
Page 110: Connect Ac Power To A Pa-7050 Firewall
PA-7000 Series Firewall Installation Model and Power NPCs Installed and Active Power Supplies Required Input NPCs NPCs NPCs NPCs NPCs NPCs NPCs NPCs NPCs PA-7080 Firewall120VAC PA-7080 Firewall 240VAC or -48VDC For example, if you have a PA-7080 firewall with ten NPCs and configure it to use 240VAC or #48VDC, you must power on a minimum of three power supplies to power the chassis and all NPCs.
Page 111 PA-7000 Series Firewall Installation STEP 4 | Remove the two nuts and star washers from the ground studs located on the back of the chassis on the upper left side. STEP 5 | Crimp a 6-AWG wire to the provided grounding lug and connect the other end to your earth ground point.
Page 112: Connect Dc Power To A Pa-7050 Firewall
PA-7000 Series Firewall Installation STEP 9 | Confirm that all front slot cards are properly inserted and then turn on each of the four AC power switches located on the back of the chassis. The chassis will power on. Connect DC Power to a PA-7050 Firewall The following procedure describes how to connect power to DC power supplies in a PA-7050 firewall.
Page 113 PA-7000 Series Firewall Installation STEP 4 | Crimp a 6-AWG wire to the provided grounding lug and connect the other end to your earth ground point. STEP 5 | Connect the two-post lug connector to the two-post studs on the chassis using the provided star washers and nuts and then torque the nuts to 50 in-lbs.
Page 114: Connect Ac Power To A Pa-7080 Firewall
PA-7000 Series Firewall Installation STEP 9 | After each DC cable is securely connected, power on the DC power source and the chassis will power on. Connect AC Power to a PA-7080 Firewall The following procedure describes how to connect power to a PA-7080 firewall with AC power supplies installed.
Page 115 PA-7000 Series Firewall Installation STEP 6 | Connect the two-post lug connector to the two-post lugs on the chassis using the provided star washers and nuts and then torque the nuts to 50 in-lbs. You can install the lug in a vertical or horizontal position.
Page 116: Connect Dc Power To A Pa-7080 Firewall
PA-7000 Series Firewall Installation STEP 9 | Confirm that all front slot cards are properly inserted and then turn on each of the four AC power switches located on the back of the chassis. The chassis will power on. Connect DC Power to a PA-7080 Firewall The following procedure describes how to connect power to DC power supplies in a PA-7080 firewall.
Page 117 PA-7000 Series Firewall Installation STEP 2 | Put the provided ESD wrist strap on your wrist ensuring that the metal contact is touching your skin. Then attach (snap) one end of the ground cable to the wrist strap and remove the alligator clip from the banana clip on the other end of the ESD grounding cable.
Page 118 PA-7000 Series Firewall Installation STEP 6 | While facing the back of the chassis, remove the plastic covers that protect the DC power connections for PEM A (1 and 2) and PEM B (1 and 2). If you are installing additional DC power supplies on the front of the chassis, remove the plastic covers for the corresponding PEM numbers.
Page 119: View Pa-7000 Series Firewall Power Statistics
PA-7000 Series Firewall Installation STEP 14 | After each DC cable is securely connected, power on the DC power source and the chassis will power on. View PA-7000 Series Firewall Power Statistics Use the following information to learn how to view active power statistics on a PA-7000 Series firewall to help you ensure power redundancy and to plan for growth.
Page 120 PA-7000 Series Firewall Installation STEP 2 | View the output for information on the status of each component and the current power rating. For example, the following table shows the CLI output (in table format) from a PA-7080 with four power supplies and six NPCs installed.
Page 121 PA-7000 Series Firewall Installation Slot Component Card Status Power (w) PSA2 CP2500AC54TE 2500 (+) PSA3 empty PSA4 empty PSB1 CP2500AC54TE 2500 (+) PSB2 CP2500AC54TE 2500 (+) PSB3 empty PSB4 empty Provided: 10000 Used: 3740 Remaining 6260 As indicated in the last row of the table, the four 2500 watt power supplies provide 10000 watts and the installed hardware components (SMC, LPC or LFC, and NPCs) use 3740 watts.
Page 122: Connect Cables To A Pa-7000 Series Firewall
PA-7000 Series Firewall Installation Connect Cables to a PA-7000 Series Firewall After you Connect Power to a PA-7000 Series Firewall, connect your management computer to the management port (MGT) on the firewall so you can begin the initial configuration. You can optionally connect your management computer to the console port, which provides a serial connection to the firewall and enables you to view the bootup messages and manage the firewall using the command line interface (CLI).
Page 123 PA-7000 Series Firewall Installation PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 124: Verify The Pa-7000 Series Firewall Lpc And Npc Configuration
PA-7000 Series Firewall Installation Verify the PA-7000 Series Firewall LPC and NPC Configuration After you install the front-slot cards and power on the PA-7000 Series firewall (described in Connect Power to a PA-7000 Series Firewall), you can use the following information to verify the status of the Log Processing Card (LPC) and the Network Processing Cards (NPCs).
Page 125: Verify The Pa-7000 Series Firewall Npc Configuration
PA-7000 Series Firewall Installation card serial : 002901000089 Disk id B2 Present model : ST91000640NS size : 953869 MB status : active sync card serial : 002901000076 The output also shows the model, size, status, and the AMC serial number. For information on replacing a failed drive and commands to add and remove drives, see Replace a PA-7000 Series Firewall LPC...
Page 126 PA-7000 Series Firewall Installation After you successfully install an NPC, the status shows Card Status Up and Config Status Success. You can power down a slot and the slot will stay in the down state until you power it on. Use the following commands to change the slot status: To power on an NPC slot: admin@PA-7050>...
Page 127: Install The Pa-7080 Firewall Emi Filter
PA-7000 Series Firewall Installation Install the PA-7080 Firewall EMI Filter The PA-7080 Electromagnetic Interference (EMI) filter (PAN-PA-7080-EMI-FLTR) reduces EMI emissions and is required when you install the following hardware components: • PA-7000 100G NPC • PA-7080-SMC-B • PA-7000-LFC-A If the PA-7080 firewall has a serial number greater than 10,000, or the PA-7080 was manufactured after March 2019, the built-in internal EMI filter is already installed and this external EMI filter is not required.
Page 128 PA-7000 Series Firewall Installation PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 129: Service The Pa-7000 Series Firewall Hardware
Service the PA-7000 Series Firewall Hardware The following topics describes how to replace field-serviceable components on a PA-7000 Series firewall. For an overview of the hardware components, see PA-7000 Series Firewall Overview. • Replace a PA-7000 Series Firewall AC or DC Power Supply •...
Page 130: Replace A Pa-7000 Series Firewall Ac Or Dc Power Supply
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall AC or DC Power Supply The following topics describe how to interpret the power supply LEDs and how to replace a PA-7000 Series firewall power supply. • Interpret the PA-7000 Series Firewall Power Supply LEDs •...
Page 131: Replace A Pa-7000 Series Ac Power Supply
Service the PA-7000 Series Firewall Hardware LEDs Description • Fault—Red indicates a power supply failure, blinking indicates that the management plane cannot communicate with the power supply and off indicates no issues. PA-7080 Power Supply LEDs Use the following information to learn how to interpret the LEDs on the PA-7080 AC power supply.
Page 132 Service the PA-7000 Series Firewall Hardware Replace a PA-7050 AC Power Supply STEP 1 | Put the provided ESD wrist strap on your wrist ensuring that the metal contact is touching your skin. Then attach (snap) one end of the ground cable to the wrist strap and remove the alligator clip from the banana clip on the other end of the ESD grounding cable.
Page 133 Service the PA-7000 Series Firewall Hardware STEP 7 | Slide the new power supply into the empty power supply slot until it is almost fully seated. Ensure that the notch near the hinged part of the ejector handle lines up with the chassis, so that you can close the handle and properly seat the power supply.
Page 134 Service the PA-7000 Series Firewall Hardware supply door toward you from the left side to eject the power supply from the chassis. Then pull the power supply toward you and remove it. STEP 5 | Remove the replacement power supply from the packaging and open the front ejector door until it is fully open.
Page 135: Replace A Pa-7000 Series Dc Power Supply
Service the PA-7000 Series Firewall Hardware STEP 7 | Plug the power cable into the corresponding AC power module on the back of the chassis and turn on the power switch. The new power supply will turn on and the LED will turn green.
Page 136 Service the PA-7000 Series Firewall Hardware STEP 6 | Pull the power supply ejector handle out and down from the top center of the power supply to disengage it from the chassis and then slide the power supply out of the chassis using the power supply handle.
Page 137 Service the PA-7000 Series Firewall Hardware STEP 8 | Slide the new power supply into the empty power supply slot until it almost fully seated. Ensure that the notch near the hinged part of the ejector handle inserts into the chassis so that when you close the handle, it properly seats the power supply.
Page 138 Service the PA-7000 Series Firewall Hardware STEP 2 | Locate the failed power supply by viewing the system logs or by viewing the LED on the front of the power supply. A red LED indicates a failed power supply. For details on the power supply LEDs, see Interpret the PA-7000 Series Firewall Power Supply LEDs.
Page 139 Service the PA-7000 Series Firewall Hardware will eject the power supply from the chassis. Pull the power supply toward you and remove STEP 5 | Remove the replacement power supply from the packaging and open the front ejector door until it is fully open. Remember to push the metal clip located on the bottom left to release the door.
Page 140: Replace A Pa-7080 Dc Pem
Service the PA-7000 Series Firewall Hardware Replace a PA-7080 DC PEM The DC Power Entry Module (PEM) is located on the back of the chassis and connects the power source to the power supplies located on the front of the chassis, which then distributes power to all chassis components.
Page 141 Service the PA-7000 Series Firewall Hardware STEP 4 | Remove the eight screws that secure the PEM to the chassis. STEP 5 | Remove the failed PEM from the chassis using the handles on each side of the PEM. STEP 6 | Carefully slide the replacement PEM into the PEM slot and secure it with the eight screws.
Page 142: Replace A Pa-7000 Series Firewall Fan Tray
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall Fan Tray The following topics describe how to replace a PA-7050 or PA-7080 fan tray. • Replace a PA-7050 Fan Tray • Replace a PA-7080 Fan Tray Replace a PA-7050 Fan Tray The following procedure describes how to replace a PA-7050 fan tray.
Page 143 Service the PA-7000 Series Firewall Hardware STEP 4 | Turn the top and bottom fan tray thumb screws counter-clockwise until the screws stop. This will move the latches to the open position in preparation for the fan tray removal. If you replace the PA-7050-FANTRAY-R-A fan tray, remove the air filter that is part of the fan tray.
Page 144 Service the PA-7000 Series Firewall Hardware Figure 10: PA-7050-FANTRAY-L-A and PA-7050-FANTRAY-R-A STEP 5 | Grasp the fan tray handles and pull the tray out about two inches. After all working fans have stopped spinning, remove the fan tray from the chassis. The fan tray is heavy, so be prepared to support the weight of the tray when removing it.
Page 145 Service the PA-7000 Series Firewall Hardware STEP 7 | Turn the thumb screws to the right until they stop. This will lock the top and bottom latches to secure the tray to the chassis. Use a Phillips-head screwdriver to tighten the thumb screws.
Page 146 Service the PA-7000 Series Firewall Hardware Figure 12: PA-7050-FANTRAY-L-A and PA-7050-FANTRAY-R-A STEP 8 | Verify that the fan tray is operational by noting the status of the fan tray LEDs and the fan LED on the SMC (slot 4). The Fault LED on the fan tray turns off, the Power LED on the fan tray illuminates green, and the fan LED on the SMC changes from red to green.
Page 147: Replace A Pa-7080 Fan Tray
Service the PA-7000 Series Firewall Hardware Replace a PA-7080 Fan Tray The following procedure describes how to replace a PA-7080 fan tray. If one fan on a fan tray fails, the fault LED on the fan tray will turn red. If this occurs, replace the fan tray immediately to avoid service interruption.
Page 148 Service the PA-7000 Series Firewall Hardware STEP 4 | Grasp both handles on the failed fan tray and gently push them outward as you slide the fan tray toward you about 1 inch. Wait 10 seconds to allow enough time for the working fans to stop spinning.
Page 149 Service the PA-7000 Series Firewall Hardware tray illuminates green, and the FAN LED on the SMC changes from red to green. You can view the status of the fan trays by running the CLI command: admin@PA-7080> show system environmentals fan-tray To view the status of each fan on a fan tray, run the following command: admin@PA-7080>...
Page 150: Replace A Pa-7000 Series Firewall Air Filter
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall Air Filter The air filter is a critical part of the chassis cooling system that ensures that air entering the chassis does not contain debris. We recommend that you replace the first-generation filter every six months or less, depending on the environment where the firewall is located, to prevent a scenario where there is not enough air passing through the filters to keep the firewall from overheating.
Page 151 Service the PA-7000 Series Firewall Hardware STEP 3 | Push the filter in until the rear ball joint(s) snap into place. If you are installing a PA-7050- FANTRAY-R-A air filter, turn the air filter screws clockwise until tight. Figure 13: PA-7050 Chassis Air Filter PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc.
Page 152 Service the PA-7000 Series Firewall Hardware Figure 14: PA-7050 FANTRAY-R-A Air Filter PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 153 Service the PA-7000 Series Firewall Hardware Figure 15: PA-7080 Air Filter PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 154: Replace A Pa-7000 Series Firewall Front Slot Card
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall Front Slot Card The PA-7000 Series firewalls require one Switch Management Card (SMC), one Log Processing Card (LPC), and at least one Network Processing Card (NPC). The procedures to replace a front slot card on a PA-7050 and PA-7080 firewall are almost identical.
Page 155 Service the PA-7000 Series Firewall Hardware STEP 4 | Remove the failed SMC from the chassis. If you are replacing a failed PA-7050-SMC-B or PA-7080-SMB, also remove the SSD drives and label the drives (Sys 1 and Sys2) to ensure PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc.
Page 156 Service the PA-7000 Series Firewall Hardware that you install them in the same SSD slots on the replacement SMC-B (See Replace a PA-7050-SMC-B or PA-7080-SMC-B Drive). PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 157 Service the PA-7000 Series Firewall Hardware STEP 5 | Remove the replacement SMC from the antistatic bag. If you are replacing a failed PA-7050- SMC-B or PA-7080-SMC-B, install the SSDs that you removed in the previous step. STEP 6 | Slide it into the SMC slot, ensuring that the handles are in the open position.
Page 158: Replace A Pa-7000 Series Log Card
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Log Card Use the following topics to learn how to replace a PA-7000 Series Log Processing Card (LPC) or a PA-7000 Series Log Forwarding Card (LFC). The LPC has disk drives that must be removed and re- installed, while the LFC does not contain disk drives.
Page 159 Service the PA-7000 Series Firewall Hardware STEP 5 | Remove the LPC by pulling the inner release lever to unlock the outer release lever and then use the outer release lever to pull the LPC out of the chassis. The LPC has a double-lever on each side of the card. After loosening the thumb screws, you must pull the inner lever toward you to unlock the outer lever from the chassis and then pull the outer lever to release the card.
Page 160 Service the PA-7000 Series Firewall Hardware STEP 6 | Remove the new LPC from the antistatic bag. Slide the LPC into the LPC slot, ensuring that the handles are in the open position. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place.
Page 161 Service the PA-7000 Series Firewall Hardware STEP 9 | If you are using the drives from the failed LPC, read the steps in Re-Index the LPC Drives before powering on the chassis. Replace a PA-7000 Series Log Forwarding Card (LFC) If the LFC fails, the chassis reboots and will attempt to recover the LFC.
Page 162 Service the PA-7000 Series Firewall Hardware STEP 4 | Remove the LFC by pulling the inner release lever to unlock the outer release lever and then use the outer release lever to pull the LFC out of the chassis. The LFC has a double-lever on each side of the card. After loosening the thumb screws, you must pull the inner lever toward you to unlock the outer lever from the chassis and then pull the outer lever to release the card.
Page 163: Replace A Pa-7000 Series Network Processing Card (Npc)
Service the PA-7000 Series Firewall Hardware Figure 17: PA-7080 LFC STEP 5 | Remove the new LFC from the antistatic bag. Slide the LFC into the LFC slot, ensuring that the handles are in the open position. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place.
Page 164 Service the PA-7000 Series Firewall Hardware and the NPC fails after three recovery attempts, the chassis will reboot to attempt to recover the card. You do not have to power off the firewall to install or remove NPCs unless the device is in FIPS- CC mode.
Page 165 Service the PA-7000 Series Firewall Hardware STEP 4 | Remove the NPC using the appropriate procedure below depending on the version of the installed NPC. There are two versions of the PA-7000 20G NPC as described in PA-7000 NPC. Version 1 has a black slide switch on each side of the card that is used to release the ejector lever.
Page 166 Service the PA-7000 Series Firewall Hardware ejector levers. Wait for the green power LED to go off and then pull the release lever toward you to pull the card out of the chassis. The following images show the two versions of the PA-7000 20G NPCs. Figure 18: Install or Remove a PA-7000 20G Version 1 NPC PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc.
Page 167 Service the PA-7000 Series Firewall Hardware Figure 19: Install or Remove a PA-7000 20G Version 2 NPC STEP 5 | Remove the replacement NPC from the antistatic bag and slide it into the empty slot, ensuring that the handles are in the open position. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place.
Page 168 Service the PA-7000 Series Firewall Hardware STEP 7 | Insert the network cables that you removed earlier. For slot status information and troubleshooting, see the following sections: PA-7000 Series Front Slot States PA-7000 Series Firewall Network Processing Card (NPC) Troubleshooting Commands.
Page 169 Service the PA-7000 Series Firewall Hardware STEP 2 | Make note of the cable connections and then loosen the screws on each side of the card that secure the NPC to the chassis. Releasing the eject levers on the NPC triggers a micro switch that powers down the card to prepare it for removal.
Page 170 Service the PA-7000 Series Firewall Hardware STEP 9 | Insert the network cables that you removed earlier. For slot status information and troubleshooting, see the following sections: PA-7000 Series Front Slot States PA-7000 Series Firewall Network Processing Card (NPC) Troubleshooting Commands.
Page 171 Service the PA-7000 Series Firewall Hardware State Description AdminPowerOff An administrator powered down the slot and it will not be available until you power it back on. If there is a slot that you want ignored in an HA configuration HA, put it in this state. Failure The card has failed and needs to be replaced.
Page 172: Replace A Pa-7000 Series Data Processing Card (Dpc)
Service the PA-7000 Series Firewall Hardware Purpose Command stays powered off, even after a chassis reboot. Enable a slot so the NPC can admin@PA-7080> request pass traffic. chassis enable slot <slot-number> Enable new NPCs on In an HA configuration, you must install the same number and both chassis in an HA model of NPCs in each chassis and the slot numbers must configuration.
Page 173 Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall DPC in a Single Chassis STEP 1 | Check the status of the DPC that is having a problem. You can do this from the web interface or from the CLI. In the web interface, navigate to Device > Setup > Interfaces to view status of each DPC slot.
Page 174 Service the PA-7000 Series Firewall Hardware from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 175 Service the PA-7000 Series Firewall Hardware STEP 5 | Tighten the thumb screws on each side of the card to secure the card to the chassis by hand or using a Phillips-head screwdriver. STEP 6 | Enable the new DPC by running the following command using slot 3 as an example: admin@PA-7050>...
Page 176 Service the PA-7000 Series Firewall Hardware STEP 7 | Ensure that the DPC's session distribution policy is set to session-load. 1. Run the following command to check the DPC's current distribution policy: admin@PA-7050> show session distribution policy 2. If the Ownership Distribution Policy reads as any value other than session-load, run the following command: admin@PA-7050>...
Page 177 Service the PA-7000 Series Firewall Hardware from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 178 Service the PA-7000 Series Firewall Hardware STEP 5 | Tighten the thumb screws on each side of the card to secure the card to the chassis by hand or using a Phillips-head screwdriver. STEP 6 | Enable the slots that contain the functioning DPC (in the second chassis) and the DPC that you just replaced.
Page 179 Service the PA-7000 Series Firewall Hardware STEP 7 | Power on the slots that contain the functioning DPC (in the second chassis) and the DPC that you just replaced. admin@PA-7050> request chassis power-on slot <slot-number> For example, run the following command to enable slot 3 on the firewall: admin@PA-7050>...
Page 180: Replace A Pa-7000 Series Smc Boot Drive
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series SMC Boot Drive The first generation switch management cards (PA-7050-SMC and PA-7080-SMC) come with an mSATA solid-state drive (SSD) that contains the PAN-OS boot images and configuration files. If your PAN-OS configuration file is too large to fit on the pre-installed SSD, you can replace the stock SSD with the PAN-PA-7000-MSATA-IMG.
Page 181 Service the PA-7000 Series Firewall Hardware STEP 6 | Gently press the two clips to release the mSATA. Once the mSATA pops up, carefully remove it from the socket. STEP 7 | Carefully place the new mSATA into the socket. Ensure that the label displaying the Palo Alto Networks SKU and bar codes is facing up.
Page 182 Service the PA-7000 Series Firewall Hardware STEP 11 | Boot the chassis with the new mSATA installed. When prompted, log in and reset the firewall to factory default settings. After the reset operation is complete, load your preferred version and configuration of PAN-OS. PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc.
Page 183: Replace A Pa-7000 Series Firewall Lpc Drive
Service the PA-7000 Series Firewall Hardware Replace a PA-7000 Series Firewall LPC Drive The Log Processing Card (LPC) contains four Advanced Mezzanine Cards (AMCs) used to house one 2.5” SATA drive each. The first two drives (A1 and A2) are configured in a RAID 1 array and the second two drives (B1 and B2) are configured in a second RAID 1 array.
Page 184 Service the PA-7000 Series Firewall Hardware system raid slot s7 remove A2 This procedure is based on a PA-7080 firewall where the LPC is installed in slot s7. If you are working on a PA-7050 firewall, the LPC is installed in slot s8. For a PA-7050 firewall, replace slots7 with slot s8 in those commands that specify the LPC slot number.
Page 185 Service the PA-7000 Series Firewall Hardware STEP 4 | Gently pull the AMC release handle of the failed drive toward you until it stops to unlock the AMC from the chassis and then completely remove the AMC. The FAULT LED on the AMC that contains the failed drive will show red.
Page 186 Service the PA-7000 Series Firewall Hardware STEP 5 | Remove the replacement drive from the packaging and compare the drive model on the label with the drive model of the failed drive. Proceed as follows based on your findings: • If the replacement drive is the same model number of the failed drive that you removed, then continue to 6.
Page 187 Service the PA-7000 Series Firewall Hardware STEP 6 | (Same model replacement drive only) Install a replacement drive that is the same model as the other drive in the RAID 1 array: 1. Pull the AMC handle on the replacement drive outward until it stops to prepare it for installation into the LPC.
Page 188 Service the PA-7000 Series Firewall Hardware STEP 7 | (Different model replacement drive only) Install a replacement drive that is a different model than the other drive in the RAID 1 array: When you initiate the copy command as described in the following steps, logging and log query will not be available on the drive array until the copy is complete and the disk pair shows Available.
Page 189 Service the PA-7000 Series Firewall Hardware 6. Install the second replacement drive. In this example, physically remove the drive from slot A1 and then install the second replacement drive—one that is the same model as you installed in slot A2—into slot A1. 7.
Page 190: Re-Index The Lpc Drives
Service the PA-7000 Series Firewall Hardware Re-Index the LPC Drives If you reuse the drives from a failed Log Processing Card (LPC) when installing a new LPC, you must install the drives in the same order in which they were removed from the old LPC and then re-index the log metadata.
Page 191 Service the PA-7000 Series Firewall Hardware chassis admin-power-off slot <slot-number> For example, if there is an NPC in slot 1, run the following command: admin@PA-7050> request chassis admin-power-off slot s1 Do the same for each installed NPC until all NPCs show AdminPowerOff. This ensures that network traffic will not traverse the firewall during indexing.
Page 192 Service the PA-7000 Series Firewall Hardware STEP 7 | If your NPCs are powered off or disabled, bring them back up by running the following commands. To view the status of each NPC: admin@PA-7050> show chassis status For each NPC that is in the AdminPowerOff state, run the following command: admin@PA-7050>...
Page 193 Service the PA-7000 Series Firewall Hardware Rule Action Dst Port Destination Src User Dst User End Reason ========================================================== 2015/01/18 07:14:12 incomplete EDM-Vwire-Vsys5 36502 10.43.5.17 EDM-Vsys5-Sec-Pol-2 allow EDM-Vwire-Vsys5 10.5.40.161 aged-out 2015/01/18 08:06:39 incomplete EDM-Vwire-Vsys5 40706 10.43.5.17 EDM-Vsys5-Sec-Pol-2 allow EDM-Vwire-Vsys5 10.5.40.161 aged-out You can also use the web interface to view logs.
Page 194: Replace A Pa-7050-Smc-B Or Pa-7080-Smc-B Drive
Service the PA-7000 Series Firewall Hardware Replace a PA-7050-SMC-B or PA-7080-SMC-B Drive The PA-7050-SMC-B and PA-7080-SMC-B have two SSD drives in a RAID 1 configuration. This configuration provides redundancy so if a drive in a RAID 1 array fails there is no unplanned service interruption or loss of data.
Page 195 Service the PA-7000 Series Firewall Hardware Drive id Sys2 degraded panrepo clean Drive id Sys1 active sync Drive id Sys2 degraded swap clean Drive id Sys1 active sync Drive id Sys2 degraded STEP 2 | Run the following command to shut down the firewall: admin@PA-7080>...
Page 196 Service the PA-7000 Series Firewall Hardware STEP 5 | Remove the failed SMC-B from the chassis. The following images show the first-generation SMCs; the procedure is the same for the second-generation SMCs (SMC-B). PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 197 Service the PA-7000 Series Firewall Hardware STEP 6 | Remove the failed drive (Sys 2 in this example). Turn the screw on the SSD drive slot door counter-clockwise and then remove the door. Pull the failed drive out of the SSD drive slot. Note the model number and compare it to the replacement drive.
Page 198 Service the PA-7000 Series Firewall Hardware STEP 7 | Insert the replacement drive (into the Sys 2 slot in this example), reinstall the drive slot door and turn the door screw clockwise until tight. STEP 8 | Reinstall the SMC-B into the chassis. STEP 9 | Insert the power cords to power on the firewall.
Page 199: Increase The Pa-7000 Series Firewall Lpc Log Storage Capacity
Service the PA-7000 Series Firewall Hardware Increase the PA-7000 Series Firewall LPC Log Storage Capacity The PA-7000 Series firewall ships with four 1TB drives installed in the Log Processing Card (LPC) and each drive pair (A1/A2 and B1/B2) is in a separate RAID 1 array to provide 2TBs of log storage.
Page 200 Service the PA-7000 Series Firewall Hardware status : active sync card serial : 002901000067 Disk id A2 Present model : ST91000640NS size : 953869 MB status : active sync card serial : 002901000369 Disk Pair S7B Available Status clean Disk id B1 Present model : ST91000640NS...
Page 201 Service the PA-7000 Series Firewall Hardware system raid slot s7 remove A1 This procedure is based on a PA-7080 firewall where the LPC is installed in slot s7. If you are working on a PA-7050 firewall, the LPC is installed in slot s8. For a PA-7050 firewall, replace slot s7 with slot s8 in those commands that specify the LPC slot number.
Page 202 Service the PA-7000 Series Firewall Hardware 3. Remove a new 2TB drives from the packaging and pull the AMC handle out to prepare it for installation into the LPC. Install the drive into the empty drive slot (A1 in this example) and then push in the release handle on the AMC to lock it to the chassis.
Page 203 Service the PA-7000 Series Firewall Hardware system raid detail Continue running this command to view the RAID detail output until you see that the array (A1/A2 in this example) shows Available. At this point, drive A2 will show not in use because there is a drive size mismatch.
Page 204 Service the PA-7000 Series Firewall Hardware card serial : 002901000064 To upgrade the B1/B2 drive array, repeat these procedures replacing the drive designators. For example, replace A1 with B1 and A2 with B2 to upgrade the drives in the B1/B2 RAID 1 array.
Page 205 Service the PA-7000 Series Firewall Hardware :admin@PA-7080> request system raid slot s7 remove A2 This procedure is based on a PA-7080 firewall where the LPC is installed in slot s7. If you are working on a PA-7050 firewall, the LPC would be installed in slot s8.
Page 206 Service the PA-7000 Series Firewall Hardware 3. Remove two 2TB drives from their packaging and pull the AMC handle out on each drive to prepare them for installation into the LPC. Install the drives into the empty slots (A1 and A2) and then push in the release handle on each AMC to lock the AMCs to the chassis.
Page 207 Service the PA-7000 Series Firewall Hardware system raid detail The following output shows that the S7A array is Available. At this point, drive A2 will show not in use because you have not added it to the new RAID 1 array configuration. Disk Pair S7A Available Status...
Page 208 Service the PA-7000 Series Firewall Hardware PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...
Page 209: Pa-7000 Series Firewall Specifications
PA-7000 Series Firewall Specifications The following topics provide chassis and component specifications for the PA-7000 Series firewalls. The Log Cards (LPC and LFC) and Network Processing Cards (NPCs) are universal, so you can install them in a PA-7050 or PA-7080 firewall. Components that are not universal, such as power supplies, the Switch Management Card (SMC), fan trays, and the air filter are listed separately for each model.
Page 210: Pa-7000 Series Firewall Physical Specifications
PA-7000 Series Firewall Specifications PA-7000 Series Firewall Physical Specifications The following table describes PA-7050 and PA-7080 firewall physical specifications. Specification Value Height • PA-7050 firewall—15.75 inches (40 cm) 9U • PA-7050 firewall with air flow kit installed (PAN-AIRDUCT)— 24.5 inches (62.23 cm) 14U •...
Page 211 PA-7000 Series Firewall Specifications Specification Value • Chassis (AC)—173 lbs (78 kg 471.47 g) Includes the chassis, two fan trays, air filter, and four power supplies. Does not include the blank slot covers, SMC, NPCs, or LPC. Total Weight (fully loaded)— 299.3 lbs (135 kg 760.19 g) Includes the chassis weight above, plus the SMC, LPC, ten NPCs, and eight AC power supplies.
Page 212 PA-7000 Series Firewall Specifications Specification Value • PA-7050 Second-generation fan trays • PA-7050-FANTRAY-L-A—12 lbs (5 kg 443.11 g) • PA-7050-FANTRAY-R-A—13.5 lbs (6 kg 123.49 g) • PA-7080 firewall—15.5 lbs (6 kg 945.63 g) EMI Filter • PAN-PA-7080-EMI-FILTR—1.5 lbs (680 g) Power supply (AC) •...
Page 213: Pa-7000 Series Firewall Electrical Specifications
PA-7000 Series Firewall Specifications PA-7000 Series Firewall Electrical Specifications Use the following topics to learn about the PA-7000 Series firewall electric specifications and the types of power cords you can use. • PA-7000 Series Firewall Component Electrical Specifications • PA-7000 Series Firewall Power Cord Types PA-7000 Series Firewall Component Electrical Specifications The following table describes PA-7050 and PA-7080 firewall power supply output and rated power consumption for the hardware components.
Page 214: Pa-7000 Series Firewall Power Cord Types
PA-7000 Series Firewall Specifications Component SKU Power Specification (Power Notes Number Produced (+) or Rated Consumption (-)) PA-7050-FAN -175 Watts Not compatible with PAN-OS 9.0 hardware. PA-7050-FANTRAY- -180 Watts Left side exhaust fan tray for PA-7050 chassis PA-7050-FANTRAY- -1200 Watts Right side intake fan tray for PA-7050 chassis.
Page 215 PA-7000 Series Firewall Specifications PA-7050 DC configuration supports one type of DC power cord (included) and is listed in the first row of the following table. SKU Number Description PAN-PWR-DC-CBL-A (PA-7050 firewall only) 15 ft DC power cord. One end of the cable has a connector that you plug into the front of the DC power supply and the other end of the cable has bare wires, which you must terminate to your DC power source.
Page 216: Pa-7000 Series Firewall Environmental Specifications
PA-7000 Series Firewall Specifications PA-7000 Series Firewall Environmental Specifications The following table describes PA-7050 and PA-7080 firewall environmental specifications. Specification Value Operating temperature range 0° to 50°C (32°F to 122°F) Storage temperature range -20° to 70°C (-4°F to 158°F) Humidity 5% to 90% non-condensing Chassis airflow •...
Page 217: Pa-7000 Series Firewall Hardware Compliance Statements
PA-7000 Series Firewall Hardware Compliance Statements Palo Alto Networks obtains regulatory compliance certifications to comply with the laws and regulations in each country where there are requirements applicable to our products. Our products meet standards for product safety and electromagnetic compatibility when used for their intended purpose.
Page 218: Pa-7000 Series Firewall Compliance Statements
PA-7000 Series Firewall Hardware Compliance Statements PA-7000 Series Firewall Compliance Statements The following are the PA-7000 Series firewall hardware compliance statements: • VCCI This section provides the compliance statement for the Voluntary Control Council for Interference by Information Technology Equipment (VCCI), which governs radio frequency emissions in Japan.
Page 219 PA-7000 Series Firewall Hardware Compliance Statements • BSMI EMC Statement—User warning: This is a Class A product. When used in a residential environment it may cause radio interference. In this case, the user will be required to take adequate measures. •...
Page 220 PA-7000 Series Firewall Hardware Compliance Statements PA-7000 Series Firewall Hardware Reference 2023 Palo Alto Networks, Inc. ©...

This manual is also suitable for:

Pa-7050 Pa-7080

PaloAlto Networks TECHDOCS PA-7000 Series Hardware Reference Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for PaloAlto Networks TECHDOCS PA-7000 Series

Summary of Contents for PaloAlto Networks TECHDOCS PA-7000 Series

This manual is also suitable for:

Table of Contents