How to configure High Availability in Palo Alto Networks Firewall

Posted by October 5, 2022 in Palo Alto

In this article, we will discuss and configure High Availability (HA) in Palo Alto Networks Firewall. High Availability provides you redundancy in your network. Thus, it avoids a single point of failure.

All of the Palo Alto Networks firewalls, provide you an option to configure High Availability including VM Serves Firewalls. Palo Alto Networks Firewalls  PA-800, PA-3000, PA-3200, PA-4000, PA-5000, PA-5200, and PA-5400 series devices have dedicated High Availability Links.

For VM series firewalls and PA-220 devices, you need to use data plane interfaces to use High Availability (HA).

Here, we will configure High Availability on the Palo Alto VM50 devices that has PANOS 10.1.5. Let’s quickly start with the configuration.

How to configure High Availability in Palo Alto Networks Firewalls

Before moving to the High Availability configuration, let’s understand the scenario we are using for this article.

I’m having a Palo Alto Networks Firewall that has 1 management interface and 8 data plane interfaces. I am going to use ethernet1/7 & ether1/8 as High Availability interfaces as shown in the below image.

configure-ha-between-paloalto-firewalls

Step1: Configure the interfaces in High Availability Mode

In this step, we will configure the data plane interfaces in High Availability mode. This step is optional if you are using a higher range of Palo Alto Networks devices.

Navigate to Network > Interface > Ethernet > select ethernet1/7 and select interface type HA.

configure-palo-alto-data-plane-interface-for-ha

Now, Navigate to Network > Interface > Ethernet > select ethernet1/8 and select interface type HA.

configure-palo-alto-data-plane-interface-for-ha2

Navigate to Network > Interface Ethernet, and you will notice that ethernet1/7 and ethernet1/8 are configured in the High Availability.

palo-alto-networks-firewall-interfaces

Step2: Configure the High Availability on First Palo Alto Networks Firewall

Navigate to Device > High Availability > General > Setup and enable the High Availability and configure the Group ID, between 1 to 63. Select mode as Active-Passive, define peer HA1 IP address, and click on Ok.

Recommended:  Cisco ASA: Security Levels and Zones Explained

palo-alto-high-availability-primary

Now, select the Active Passive Settings and configure Passive Link State to Auto to ensure a faster failover.

paloalto-active-passive-settings

Navigate to Election settings, and define the Device Priority and Preemption settings.

We must need to Device Priority while confiruing the High Availability. Lower numerical value of Device Priority will consider as higher priority.

paloalto-ha-election-settings

Now, navigate to the Device > High Availability > HA Communication and define the HA1 and HA2 links. Select the HA1 and define the Port and IP Address.

ha1-configuration-primary-palo-alto-firewall

Edit the HA2 configuration under the Data Links and define the port, IP address, and Transport method.

If the HA2 is connected back-to-back, you can select Transport method as ethernet, and do not need to define the IP Address.

ha2-configuration-secondary-palo-alto-firewall

Commit all the changes, and you will notice that HA is configured on our Primary Palo Alto Networks Firewall. However, as of now, we don’t have secondary device information.

ha-initialisation-palo-alto

That’s it! You have done the High Availability configuration in First Palo Alto Networks Firewall.

Step3: Configure the interfaces in High Availability Mode on Second Palo Alto Networks Firewall

In this step, we will configure the data plane interfaces in High Availability mode. This step is optional if you are using a higher range of Palo Alto Networks devices.

Navigate to Network > Interface > Ethernet > select ethernet1/7 and select interface type HA.

Recommended:  How to configure Static Routes on Cisco ASA Firewall

configure-palo-alto-data-plane-interface-for-ha

Now, Navigate to Network > Interface > Ethernet > select ethernet1/8 and select interface type HA.

configure-palo-alto-data-plane-interface-for-ha2

Navigate to Network > Interface Ethernet, and you will notice that ethernet1/7 and ethernet1/8 are configured in the High Availability.

palo-alto-networks-firewall-interfaces

Step4: Configure the High Availability on Second Palo Alto Networks Firewall

Navigate to Device > High Availability > General > Setup and enable the High Availability and configure the same Group ID, between 1 to 63. Select mode as Active-Passive, define peer HA1 IP address, and click on Ok.

palo-alto-high-availability-secondary

Now, select the Active Passive Settings and configure Passive Link State to Auto to ensure a faster failover.

paloalto-active-passive-settings

Navigate to Election settings, and define the Device Priority and Preemption settings.

We must need to Device Priority while confiruing the High Availability. Lower numerical value of Device Priority will consider as higher priority.

paloalto-election-settings-secondary

Now, navigate to the Device > High Availability > HA Communication and define the HA1 and HA2 links. Select the HA1 and define the Port and IP Address.

ha1-configuration-secondary-palo-alto-firewall

Edit the HA2 configuration under the Data Links and define the port, IP address, and Transport method.

If the HA2 is connected back-to-back, you can select Transport method as ethernet, and do not need to define the IP Address.

ha2-configuration-secondary-palo-alto-firewall

Commit all the changes and navigate to the Dashboard > High Availability Widget on First Palo Alto Firewall to get the High Availability information.

paloalto-ha-widget

Just after the High Availability configuration, you will notice that the Running Config is not synchronized. Use the Sync to peer option from the Active Palo Alto Networks firewall to get it synchronized with the peer device.

Recommended:  Cisco ASA Firewall Interview Questions and Answers - 2022

configuration-sync-in-progress-palo-alto

Wait for a couple of seconds to get it fully synchronized.

Step 5: Configure Link Monitoring and Path Monitoring

Well, To trigger an automatic failover, we need to configure the Link Monitoring and/or Path Monitoring. This step is optional but recommended. Navigate to Device > High Availability > Link and Path Monitoring and define the Link or Path Monitoring. Click on the Add under the Link Monitoring and define your data plane interfaces.

palo-alto-link-and-path-monitoring

By default, if any one of the data plane interfaces goes down, the firewall will perform a failover.

Related Articles

References

Summary

In this article, we have configured the High Availability on the Palo Alto Networks firewall. High Availability (HA) is necessary to prevent a single point of failure in the network. Palo Alto Networks firewall not only synchronize the configuration, but it will also synchronize session with peer device to perform a smooth failover with minimum downtime.

I hope you have enjoyed this article. Please let me know if you need any information regarding this article.

Support our work:

If you appreciate what we do and would like to contribute to our efforts, we kindly ask you to consider buying us a coffee. Your small donation can go a long way in helping us cover the costs of hosting, maintenance, and further development.

Please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are always thankful for your never-ending support.

Leave a Reply

Your email address will not be published. Required fields are marked *