how to configure high availability on pan

8/20/2019 How to Configure High Availability on PAN

1/12

How to Configure High Availability on

PAN-OS

Overview

This document describes how to configure High Availability (HA) on a pair of

identical Palo Alto Networks firewalls.

Note: This document does not address configuring HA for PA-200 devices.

Steps

Configure First Device

1. Go to Network tab > Interfaces.

Notes:

The HA links should look similar to the following screenshot.

a. Confirm the planned HA links are up.

b. Configure both interfaces to be Interface Type HA.

o Skip this step if configuring a pair of PA-3000, PA-4000 or PA-5000

Series devices. All other firewalls, including VM-Series, require

specific ports to be configured as type HA.


2/12

2. Go to Device tab > HIgh Availability > General.

Notes:

. Locate the setup section.

a. Click on the gear cog to view/edit the settings.

b. Enable HA.

c. Enter a group ID that matches both members.

d. Enter an IP address for the Peer's Control LInk. This will be used inthe next step.

e. Enable Config Sync.

o The cluster ID is used when creating the virtual MAC for L3

instances. When more than one cluster is on the same L2 network,

the ID must be different on each cluster.

o The Peer HA IP Address (Control Link) can be any IP address that

isn't being used currently in the network.

o It is recommended to add a Backup Peer HA IP Address if there are

enough free ports.

3. From the General tab, locate the Control Link section and click on Primary.


3/12

Notes:

. Choose the first HA interface to be used for the first device's Control

Link.

a. Ener an IP address that is on the same subnet as the Peer HA IP

address, configured in step 2.

o If the Control Link is not directly connected to the other firewall, you

may want to enable encryption (AES-256).

o If the Control Link IPs are on separate broadcast domains, only the

gateway needs to be configured, otherwise it's not needed.

4. From the General tab, locate the Data Link section and click Primary:

Notes: Transport Methods

. Choose the other HA interface to be used for the Data Link.

a. Configure the IP information for the Data Link.


4/12

b. Ensure the Enabled box is checked.

o Ethernet: Use when the firewalls are connected back-to-back or

through a switch (Ethertype 0x7261).

o IP: Use when Layer 3 transport is required (IP protocol number 99).

o UDP: Use to take advantage of the fact the checksum is calculated

on the entire packet rather than just the header, as in the IP option(UDP port 29281).

5. From the General tab, locate the Election Settings section, and click the

gear cog:

. To specify one of the firewalls as active, enable Preemptive on both

firewalls and set the Device Priority.

The device with the lowest Device Priority is the active device.


5/12

a. To learn about all of the other settings here, click the ? in the top right

corner for detailed explanations.

b. When state synchronization is enabled; the session table, forwarding

table, ARP table, and VPN Security Associations (SAs) are copied

from the active device to the passive device over HA2. When the

passive device takes over, existing sessions will continue.c. If the devices have IP connectivity between the management IPs, it is

recommended to enable the Heartbeat Backup, which send pings

over the management interface.

6. Commit the configuration.

At this point, any Layer3 interface gets a new (shared) MAC address, and

multiple gratuitous ARPs are sent out to each layer3 interface informing the

attached switches of the new IP/MAC combination.

7. Confirm the HA is active on the local firewall.

The firewall’s status should show active and the other values should be

unknown, as shown below:


6/12

. Go to the Dashboard tab.

a. Add the High Availability widget.

b. Widgets > System > High Availability.

8. Configure the Peer Device.9. Refer to step 1, ensure the Peer device has two HA links configured to

communicate to the first device’s HA links.

. Go to the setup section of the Peer Device and enable HA. Refer to

step 2.

a. Assign the same cluster ID as on the other device.

b. Enter the IP address assigned to the other firewall’s Control Link.

c. Enable Config Sync.

10. From the General tab, locate the Control Link section and click on Primary.


7/12

Note: If encryption is enabled on the First device, enable it here as well.

a. Chooe the first HA interface to be used for the Second Device’s

Control Link.

b. Enter an IP address that is on the same subnet as the Peer HA IP

address configured in Step 8.

11. From the General tab, locate the Data Link section and click on Primary:

A. Choose the other HA interface to be used for the Data Link.

B. Configure the IP information for the Data Link.

C. Ensure the Enabled box is checked.

D. Ensure the Transport drop-down matches the first device’s

configuration.

12. Replicate the settings on the First device with the exception of enabledPreemptive on the First device:


8/12


9/12

14. Go to the first device.

. Ensure it still shows as active and it sees the peer device as passive.

a. Ensure all dynamic updates are synced.

b. In this example Antivirus and GlobalProtect are not synced.

15. Update as needed so everything matches, as shown below:


10/12

16. Once everything matches on both devices, go to the active member's

Dashboard tab and click Sync to peer. It should say synchronization in

progress.

17. Go to the second (passive) device's CLI and check the HA sync process by

running:

> show jobs all

The first two attempts failed. Determine and fix the cause of the failure.

18. To get more details on the failed job, run:

> show jobs id

The first sync failure is ID 13.


11/12

There is a security rule on the passive device named “Samir” that’s causingthe HA-Sync process to fail. The rule is a shared rule from a previous

Panorama configuration.

Delete the rule and run the Sync to peer again from the Active Device’s

Dashboard tab. The job finished successfully this time:

High Availability is configured.

19. Configure Link Monitoring and Path Monitoring (optional):


12/12

. Device tab > High Availability > Link and Path Monitoring tab.

a. In this example, monitoring all links. This means, if any link state

goes down on the active device a failover occurs.

b. In this example, Path Monitoring is not configured.

c. Click the “?” button, in the top right corner of the Link and Path

Monitoring tab, to read about Link Monitoring and Path Monitoring.

how to configure high availability on pan

Documents