Sunteți pe pagina 1din 12

How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

All Places > Knowledge Base > Documents

How to Configure High Availability on


PAN-OS Version 18

created by panagent on May 14, 2012 9:46 AM, last modified by panagent on Dec 9, 2014 12:54 PM

Overview
This document describes how to configure High Availability (HA) on a pair of identical Palo Alto Networks
firewalls.
Note: This document does not address configuring HA for PA-200 devices.

Steps
Configure First Device
1. Go to Network tab > Interfaces

Notes:
The HA links should look similar to the following screenshot.

a. Confirm the planned HA links are up


b. Configure both interfaces to be Interface Type HA
Skip this step if configuring a pair of PA-3000, PA-4000 or PA-5000 Series devices. All other firewalls,
including VM-Series, require specific ports to be configured as type HA.
2. Go to Device tab > HIgh Availability > General

https://live.paloaltonetworks.com/docs/DOC-2926 Page 1 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

Notes:
a. Locate the setup section
b. Click on the gear cog to view/edit the settings
c. Enable HA
d. Enter a group ID that matches both members
e. Enter an IP address for the Peer's Control LInk. This will be used in the next step
f. Enable Config Sync
The cluster ID is usedd when creating the virtual MAC for L3 instances. When more than one cluster is
on the same L2 network, the ID must be dierent on each cluster
The Peer HA IP Address (Control Link) can be any IP address that isn't being used currently in the
network
It is recommended to add a Backup Peer HA IP Address if there are enough free ports
3. From the General tab, locate the Control Link section and click on Primary

https://live.paloaltonetworks.com/docs/DOC-2926 Page 2 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

Notes:
a. Choose the first HA interface to be used for the first device's Control Link
b. Ener an IP address that is on the same subnet as the Peer HA IP address, configured in step 2
If the Control Link is not directly connected to the other firewall, you may want to enable encryption
(AES-256)
If the Control Link IPs are on separate broadcast domains, only the Gateway needs to be configured,
otherwise it's not needed
4. From the General tab, locate the Data Link section and click Primary:

Notes: Transport Methods


a. Choose the other HA interface to be used for the Data Link
b. Configure the IP information for the Data Link
c. Ensure the Enabled box is checked
Ethernet: Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261)

https://live.paloaltonetworks.com/docs/DOC-2926 Page 3 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

IP: Use when Layer 3 transport is required (IP protocol number 99)
UDP: Use to take advantage of the fact the checksum is calculated on the entire packet rather than just
the header, as in the IP option (UDP port 29281)
5. From the General tab, locate the Election Settings section, and click the gear cog

a. To specify one of the firewalls as active, enable Preemptive on both firewalls and set the Device Priority
The device with the lowest Device Priority is the active device
b. To learn about all of the other settings here, click the ? in the top right corner for detailed explanations
c. When state synchronization is enabled; the session table, forwarding table, ARP table, and VPN
Security Associations (SAs) are copied from the active device to the passive device over HA2. When
the passive device takes over, existing sessions will continue.
d. If the devices have IP connectivity between the management IPs, it is recommended to enable the
Heartbeat Backup which send pings over the management interface.
6. Commit the configuration
At this point, any Layer3 interface gets a new (shared) MAC address, and multiple gratuitous ARPs are sent

https://live.paloaltonetworks.com/docs/DOC-2926 Page 4 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

out to each layer3 interface informing the attached switches of the new IP/MAC combination.

7. Confirm the HA is active on the local firewall


The firewalls status should show active and the other values should be unknown, as shown below:

a. Go to the Dashboard tab


b. Add the High Availability widget
c. Widgets > System > High Availability
8. Configure the Peer Device
9. Refer to step 1, ensure the Peer device has two HA links configured to communicate to the First devices HA
links

https://live.paloaltonetworks.com/docs/DOC-2926 Page 5 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

a. Go to the setup section of the Peer Device and enable HA. Refer to step 2
b. Assign the same cluster ID as on the other device
c. Enter the IP address assigned to the other firewalls Control Link
d. Enable Config Sync
10. From the General tab, locate the Control Link section and click on Primary

Note: If encryption is enabled on the First device, enable it here as well.


a. Choose the first HA interface to be used for the Second Devices Control Link
b. Enter an IP address that is on the same subnet as the Peer HA IP address configured in Step 8
11. From the General tab, locate the Data Link section and click on Primary:

https://live.paloaltonetworks.com/docs/DOC-2926 Page 6 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

a. Choose the other HA interface to be used for the Data Link


b. Configure the IP information for the Data Link
c. Ensure the Enabled box is checked
d. Ensure the Transport drop-down matches the first devices configuration
12. Replicate the settings on the First device with the exception of enabled Preemptive on the First device:

https://live.paloaltonetworks.com/docs/DOC-2926 Page 7 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

For this configuration, Preemptive is o.


a. Enable Preemptive
b. Configure the priority field. A higher number means lower priority
13. Commit the changes on the Second device:

https://live.paloaltonetworks.com/docs/DOC-2926 Page 8 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

14. Go to the first device

a. Ensure it still shows as active and it sees the peer device as passive
b. Ensure all dynamic updates are synced
c. In this example Antivirus and GlobalProtect are not synced
15. Update as needed so everything matches, as shown below:

https://live.paloaltonetworks.com/docs/DOC-2926 Page 9 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

16. Once everything matches on both devices, go to the active member's Dashboard tab and click Sync to peer.
It should say synchronization in progress.

17. Go to the second (passive) device's CLI and check the HA sync process by running:
> show jobs all
The first two attempts failed. Need to figure out why and fix if needed

https://live.paloaltonetworks.com/docs/DOC-2926 Page 10 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

18. To get more details on the failed job, run:


> show jobs id <id number of the HA-Sync job>
The first sync failure is ID 13.

There is a security rule on the passive device named Samir thats causing the HA-Sync process to fail. The
rule is a shared rule from a previous Panorama configuration.
Delete the rule and run the Sync to peer again from the Active Devices Dashboard tab. The job finished
successfully this time:

High Availability is configured


19. Configure Link Monitoring and Path Monitoring (optional):

https://live.paloaltonetworks.com/docs/DOC-2926 Page 11 of 13
How to Configure High Availability on PAN-OS | Palo Alto Networks Live 3/25/15, 11:59 AM

a. Device tab > High Availability > Link and Path Monitoring tab
b. In this example, monitoring all links. This means, if any link state goes down on the active device a
failover will occur
c. In this example, Path Monitoring is not configured
d. Click on the ? button, in the top right corner of the Link and Path Monitoring tab, to read about Link
Monitoring and Path Monitoring

owner: jseals

14901 Views Categories: High Availability Tags: ha, high_availability, active_active, active_passive, ha_timers

Average User Rating

(12 ratings)

2 Comments

WILO May 24, 2012 3:38 AM

Thank you for this Document but is there also one available for configuring HA for PA-200 devices?

https://live.paloaltonetworks.com/docs/DOC-2926 Page 12 of 13