PaloAlto Networks PA-5400 Series, Hardware Reference Manual

Page 1: ...PA 5400 Series Next Gen Firewall Hardware Reference paloaltonetworks com documentation...

Page 2: ...earch for a specific topic go to our search page www paloaltonetworks com documentation document search html Have feedback or questions for us Leave a comment on any page in the portal or write to us...

Page 3: ...tion 37 Install the PA 5450 Firewall in an Equipment Rack 37 Install the Mandatory PA 5400 Series Firewall Front Slot Cards 44 Install a PA 5400 Series Firewall Management Processor Card MPC 44 Instal...

Page 4: ...ace a PA 5450 Front Slot Card in a High Availability HA Configuration 77 Install an MPC Logging Drive 79 Replace an MPC System Drive 80 PA 5400 Series Firewall Specifications 83 PA 5400 Series Firewal...

Page 5: ...o Networks next generation firewall or appliance The following topics apply to all Palo Alto Networks firewalls and appliances except where noted Upgrade Downgrade Considerations for Firewalls and App...

Page 6: ...6 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE Before You Begin 2021 Palo Alto Networks Inc...

Page 7: ...port the requirements for the service route We recommend using the dataplane interface for the Data Services service route n a Upgrading a PA 7000 Series Firewall with a first generation switch manage...

Page 8: ...uct The tracking number provided to you electronically when ordering the product matches the tracking number that is physically labeled on the box or crate The integrity of the tamper proof tape used...

Page 9: ...FIREWALL HARDWARE REFERENCE Before You Begin 9 2021 Palo Alto Networks Inc Third Party Component Support Before you consider installing third party hardware read the Palo Alto Networks Third Party Com...

Page 10: ...tromagnetic compliance EMC regulations French Translation Des c bles Ethernet blind s reli s la terre doivent tre utilis s pour garantir la conformit de l organisme aux missions lectromagn tiques CEM...

Page 11: ...les signal Le blindage et la mise la terre ligne ligne et ligne la terre sont fournis Le dispositif de protection doit tre raccord la terre et un c ble Ethernet blind de cat gorie 5E ou sup rieure doi...

Page 12: ...patientez au moins 10 secondes avant de retirer compl tement le tiroir de ventilation Cela permet aux ventilateurs d arr ter de tourner et permet d viter des blessures graves lors du retrait du tiroir...

Page 13: ...ed access areas only A restricted access area is where access is granted only to craft service personnel using a special tool lock and key or other means of security and that is controlled by the auth...

Page 14: ...14 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE Before You Begin...

Page 15: ...the PA 5450 you can install up to two NCs and four to five DPCs depending on your front slot configuration These firewalls also feature a replaceable Base Card BC that interfaces with the signal conne...

Page 16: ...16 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE PA 5400 Series Firewall Overview 2021 Palo Alto Networks Inc...

Page 17: ...nnectivity An NC must be installed in slot 1 A second optional NC can be installed in slot 2 as shown in the image For more information see PA 5400 Series Firewall Networking Card NC 2 Data Processor...

Page 18: ...ge The two front mounting flanges are fastened to an equipment rack when mounting the firewall 6 Electrostatic Discharge ESD port Provides a grounding point that you use when removing or installing ap...

Page 19: ...tion on replacing or installing a fan see Replace a PA 5450 Fan Assembly 3 Electrostatic Discharge ESD port Provides a grounding point that you use when removing or installing appliance components Sec...

Page 20: ...20 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE PA 5400 Series Firewall Overview...

Page 21: ...C are interfaced with the BC on the front of the appliance A minimum of one NC and one DPC are required for the system to run Due to the seven front slot arrangement you can install up to two NCs and...

Page 22: ...22 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE PA 5400 Series Firewall Module and Interface Card Information 2021 Palo Alto Networks Inc...

Page 23: ...ower bus bars to conduct currents from the power distribution board The BC can only be removed from the system after removing the fan assemblies first The following BC comes installed by default in a...

Page 24: ...MPC A component descriptions and LED meanings PA 5400 MPC A Component Descriptions Interpret the PA 5400 MPC A LEDs PA 5400 MPC A Component Descriptions The following image shows the PA 5400 MPC A an...

Page 25: ...l connects directly to HSCI A on the second firewall and HSCI B on the first firewall connects to HSCI B on the second firewall The purpose of HSCI B is to increase the bandwidth for HA2 HA3 processin...

Page 26: ...llowing table describes the functions and states of the MPC LED dashboard LED State Description Green The card temperature is normal TMP Temperature Yellow The card temperature is outside the temperat...

Page 27: ...Service LED Slot Description Status s1 PA 5400 NC A On s2 empty Off s3 empty Off s4 empty Off s5 empty Off s6 PA 5400 DPC A On s7 PA 5400 MPC A On Enter the following command to view the status for a...

Page 28: ...shows ethernet2 2 For information on installing the NC see Install a PA 5400 Series Firewall Networking Card NC On the PA 5450 firewall you can install NCs in slots 1 and 2 but a minimum of one NC is...

Page 29: ...NC A LEDs Use the following information to learn how to interpret the LED dashboard and port LEDs on the PA 5400 Networking Card NC A The following table describes the functions and states of the NC A...

Page 30: ...ystem setting service led enable yes Enter the following command to disable the SVC LED admin PA 5450 set system setting service led enable no Enter the following command to enable the SVC LED on the...

Page 31: ...s On On Off 40Gbps Off Off On 100Gbps Off On Off Identify PA 5400 Series NC Port Activity and Link LEDs The following image shows how to identify the activity and link LEDs for the port types availabl...

Page 32: ...from a DPC to a corresponding Networking Card NC Certain commands issued to the NC affect or are affected by the status of its corresponding DPC Because the DPC has no front ports or interfaces you mu...

Page 33: ...ard DPC The following table describes the functions and states of the DPC LED dashboard LED State Description Green The card temperature is normal TMP Temperature Yellow The card temperature is outsid...

Page 34: ...a specific slot admin PA 5450 show system service led status slot s3 Enter the following command to enable all SVC LEDs admin PA 5450 set system setting service led enable yes Enter the following com...

Page 35: ...rds After the firewall is installed in the rack with all components installed connect power verify that the front slot cards are functioning and then connect network and management cables Read Before...

Page 36: ...36 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE PA 5400 Series Firewall Installation 2021 Palo Alto Networks Inc...

Page 37: ...e to uneven mechanical loading Circuit overloading Ensure that the circuit that supplies power to the firewall is sufficiently rated to avoid circuit overloading or excess load on supply wiring See PA...

Page 38: ...om edges of the fixed and adjustable brackets to the bottom of the 5 RU rack space reserved for the PA 5450 Align the slotted holes of the fixed mounting bracket to the holes on the front side of the...

Page 39: ...P 4 Adjust the brackets to fit the depth of the equipment frame then secure the brackets to the equipment frame with mounting screws not provided compatible with your equipment frame Tighten the screw...

Page 40: ...ARDWARE REFERENCE PA 5400 Series Firewall Installation 2021 Palo Alto Networks Inc STEP 5 Use the provided 6 32 x 5 16 flathead screws to secure the adjustable bracket to the fixed bracket A minimum o...

Page 41: ...PA 5450 on the brackets that were previously mounted to the equipment frame until the front mounting flanges of the PA 5450 are flush against the mounting surface of the equipment frame STEP 7 Secure...

Page 42: ...provided 8 32 x 3 8 Phillips panhead screws to secure the back side of the PA 5450 to the previously mounted brackets You may need to loosen the PA 5450 support bracket screws to align the holes in t...

Page 43: ...PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE PA 5400 Series Firewall Installation 43 2021 Palo Alto Networks Inc...

Page 44: ...C enables the firewall to process network traffic and the Data Processor Card DPC handles data plane processing Install a PA 5400 Series Firewall Management Processor Card MPC Install a PA 5400 Series...

Page 45: ...1 Attach the provided ESD strap to your wrist and plug the other end in to the ESD port location on the front of the appliance See PA 5450 Front Panel for the location of the ESD port STEP 2 Remove th...

Page 46: ...te the blank panel upwards until it snaps at the top of the slot Configure Session Distribution on a PA 5400 Series Firewall After the firewall is installed and powered on you can review the available...

Page 47: ...etworking Card NC When installing a DPC you must install it in the correct slot to pair with the NC STEP 4 Push on both ejector handles until they lock the card into place STEP 5 Optional Repeat Steps...

Page 48: ...connect the device to the correct port The port s connected will depend on which mode you intend the firewall to run in Standard mode Connect the Ethernet cable from the MGT port on the firewall to th...

Page 49: ...up the firewall manually if using standard mode If using ZTP mode the device group and template configuration defined on the Panorama management server are automatically pushed to the firewall by the...

Page 50: ...power input type and then locate the column that coincides with the number of installed DPCs Each power supply requirement in the table accounts for the installation of 1 or 2 NCs To provide full redu...

Page 51: ...STEP 2 Put the provided ESD wrist strap on your wrist ensuring that the metal contact is touching your skin Then attach snap one end of the ground cable to the wrist strap and remove the alligator cli...

Page 52: ...t to 50 in lbs Be careful not to strip the nuts and lug studs STEP 7 Connect the power supply to a power source based on whether your power supplies are AC or DC AC Power Supplies only 1 Connect the f...

Page 53: ...ing the plastic connector into the DC power supply until it clicks into place Ensure that you connect each pair of power supplies to a different circuit breaker When cabling the DC power supply to you...

Page 54: ...tors This CLI output helps you know how much power is required to prevent the appliance from overloading under extreme conditions STEP 1 Using a terminal emulator such as PuTTY launch an SSH session t...

Page 55: ...A 5450 FAN Present 160 PS1 PAN PWR 2200W AC OK 2200 PS2 PAN PWR 2200W AC OK 2200 PS3 empty empty PS4 PAN PWR 2200W AC OK 2200 Provided Used Remaining 6600 1565 5035 As indicated in the last row of the...

Page 56: ...rial connection to the firewall and enables you to view the bootup messages and manage the firewall using the command line interface CLI Both the MGT and console ports are located on the Management Pr...

Page 57: ...mand admin PA 5450 show chassis status slot slot number For example to view the status of slot 2 run the following command admin PA 5450 show chassis status slot s2 If an NC slot is ready to use the s...

Page 58: ...s Firewall Installation For example to enable NCs installed in slot 2 of both appliances run the following command admin PA 5450 request chassis power on slot s2 target ha pair For information on inst...

Page 59: ...es firewall For an overview of the hardware components see PA 5400 Series Firewall Overview Replace a PA 5400 Series Firewall AC or DC Power Supply Replace a PA 5400 Series Base Card BC Replace a PA 5...

Page 60: ...60 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE Service the PA 5400 Series Firewall Hardware 2021 Palo Alto Networks Inc...

Page 61: ...only at 12VSB Volts Standby Blinking Green 2Hz Power supply is in redundant state or in sleep mode Solid Yellow Power supply critical failure Off No AC power or AC power cord is unplugged The followi...

Page 62: ...latch from the appliance With the latch still pushed to the left pull on the metal handle to slide the power supply out STEP 5 Remove the replacement power supply from the packaging STEP 6 Slide the n...

Page 63: ...D grounding cable Plug the banana clip end into one of the ESD ports located on the back of the appliance before handling ESD sensitive hardware For details on the ESD port location see PA 5450 Back P...

Page 64: ...64 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE Service the PA 5400 Series Firewall Hardware 2021 Palo Alto Networks Inc Support the BC with one hand while pulling it out from the appliance...

Page 65: ...or the thermal protection circuit will automatically shut down the firewall STEP 1 Put the provided ESD wrist strap on your wrist ensuring that the metal contact is touching your skin Then attach sna...

Page 66: ...ERIES NEXT GEN FIREWALL HARDWARE REFERENCE Service the PA 5400 Series Firewall Hardware 2021 Palo Alto Networks Inc STEP 5 While still gripping the fan assembly handle gently pull the fan assembly out...

Page 67: ...erational by noting the status of the fan assembly LED and the fan LED on the MPC The individual fan assembly LED shows green if it is functioning as expected Similarly the fan LED on the MPC also sho...

Page 68: ...agement Processor Card MPC Learn how to replace a MPC Replace a PA 5450 Management Processor Card MPC Replace a PA 5450 Management Processor Card MPC STEP 1 Put the provided ESD wrist strap on your wr...

Page 69: ...reboot and attempt to recover If the card does not recover it will change to a down state If there is only one functioning NC in the appliance and the NC fails after three recovery attempts the firewa...

Page 70: ...dware For details on the ESD port location see PA 5450 Front Panel STEP 2 Push the front tabs on the NC towards the center prompting a click This will cause ejector handles on the front of the card to...

Page 71: ...of slot 1 run admin PA 5450 show chassis status slot s1 Temporarily power on and off an NC slot This command gracefully powers off a slot and ends current sessions You can use this command to remove...

Page 72: ...Data Processor Card DPC Replace a PA 5450 Data Processor Card DPC STEP 1 Put the provided ESD wrist strap on your wrist ensuring that the metal contact is touching your skin Then attach snap one end...

Page 73: ...lock the card into place PA 5400 Series Front Slot and Card States You can view the slot and card status information on a PA 5400 Series firewall using the web interface or the command line interface...

Page 74: ...and ready for removal AdminPowerOff An administrator powered down the slot and it will not be available until you power it back on If there is a slot that you want ignored in an HA configuration HA p...

Page 75: ...ed slot request chassis restart slot request chassis restart slot target ha pair Restart a card in the selected slot request chassis enable slot request chassis enable slot target ha pair Enable a car...

Page 76: ...4 06 34 critical hw slot po 0 Attempting to power down Slot 1 because the Logically Paired DPC is in a PowerOff state Powering off an NC The state of the logically paired DPC is not affected when the...

Page 77: ...HA deployment To insert a new pair of NCs or DPCs into an HA pair 1 Insert the card into both devices 2 If the slot is in the Admin power down state then issue the following command on both devices to...

Page 78: ...e failed card The non failed card on the other device can be left in an AdminPowerOff state until you receive a replacement card To install a replacement of the failed card 1 When you receive the repl...

Page 79: ...or the location of the ESD port STEP 2 Loosen the retaining screw on the logging drive blank cover while gently pulling on the pull tab Proceed until the logging drive blank cover can be pulled out fr...

Page 80: ...Back Panel STEP 3 Remove the MPC from card slot 7 of the appliance See Replace a PA 5400 Series Management Processor Card MPC for details on removing the MPC STEP 4 Place the MPC on an ESD work surfa...

Page 81: ...ceeding a torque of 4 in lbs will damage the equipment STEP 9 Before re installing the MPC plug the banana clip end of your ESD wrist strap into one of the ESD ports located on the back of the applian...

Page 82: ...82 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE Service the PA 5400 Series Firewall Hardware...

Page 83: ...mponent specifications for the PA 5400 Series firewalls View the datasheet for information on features performance and capacity numbers PA 5400 Series Firewall Physical Specifications PA 5400 Series F...

Page 84: ...84 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE PA 5400 Series Firewall Specifications 2021 Palo Alto Networks Inc...

Page 85: ...5450 firewall 17 4 inches 44 2 cm Appliance weight PA 5450 firewall Appliance 97 lbs 44 kg Appliance with Base Card BC and fan tray installed 108 lbs 49 kg Appliance component weights Base Card BC 10...

Page 86: ...0 Series Firewall Power Configuration Requirements Component SKU Number Power Specification Power Produced or Rated Consumption Notes PAN PA 5400 BC A 350 Watts PAN PA 5400 MPC A 300 Watts Includes po...

Page 87: ...N PWR C19 US AC power cord with IEC 60320 C19 and NEMA 6 20P cord ends 3 m PAN PWR C19 US L AC power cord with IEC 60320 C19 and locking NEMA L6 20P cord ends 3 m PAN PWR C19 BR Power Cord Brazil 16A...

Page 88: ...ewall Environmental Specifications The following table describes PA 5400 Series firewall environmental specifications Specification Value Operating temperature range 0 to 40 C 32 F to 104 F Storage te...

Page 89: ...with the laws and regulations in each country where there are requirements applicable to our products Our products meet standards for product safety and electromagnetic compatibility when used for the...

Page 90: ...90 PA 5400 SERIES NEXT GEN FIREWALL HARDWARE REFERENCE PA 5400 Series Firewall Hardware Compliance Statements 2021 Palo Alto Networks Inc...

Page 91: ...re and the joined materials The firewall is suitable for connection to the Central Office or Customer Premise Equipment CPE The DC battery return wiring on the firewall must be connected as an isolate...

Page 92: ...If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference...