In this article, we will discuss and configure High Availability (HA) in Palo Alto Networks Firewall. High Availability provides you redundancy in your network. Thus, it avoids a single point of failure.
All of the Palo Alto Networks firewalls, provide you an option to configure High Availability including VM Serves Firewalls. Palo Alto Networks Firewalls PA-800, PA-3000, PA-3200, PA-4000, PA-5000, PA-5200, and PA-5400 series devices have dedicated High Availability Links.
For VM series firewalls and PA-220 devices, you need to use data plane interfaces to use High Availability (HA).
Here, we will configure High Availability on the Palo Alto VM50 devices that has PANOS 10.1.5. Let’s quickly start with the configuration.
How to configure High Availability in Palo Alto Networks Firewalls
Before moving to the High Availability configuration, let’s understand the scenario we are using for this article.
I’m having a Palo Alto Networks Firewall that has 1 management interface and 8 data plane interfaces. I am going to use ethernet1/7 & ether1/8 as High Availability interfaces as shown in the below image.
Step1: Configure the interfaces in High Availability Mode
In this step, we will configure the data plane interfaces in High Availability mode. This step is optional if you are using a higher range of Palo Alto Networks devices.
Navigate to Network > Interface > Ethernet > select ethernet1/7 and select interface type HA.
Now, Navigate to Network > Interface > Ethernet > select ethernet1/8 and select interface type HA.
Navigate to Network > Interface Ethernet, and you will notice that ethernet1/7 and ethernet1/8 are configured in the High Availability.
Step2: Configure the High Availability on First Palo Alto Networks Firewall
Navigate to Device > High Availability > General > Setup and enable the High Availability and configure the Group ID, between 1 to 63. Select mode as Active-Passive, define peer HA1 IP address, and click on Ok.
Now, select the Active Passive Settings and configure Passive Link State to Auto to ensure a faster failover.
Navigate to Election settings, and define the Device Priority and Preemption settings.
We must need to Device Priority while confiruing the High Availability. Lower numerical value of Device Priority will consider as higher priority.
Now, navigate to the Device > High Availability > HA Communication and define the HA1 and HA2 links. Select the HA1 and define the Port and IP Address.
Edit the HA2 configuration under the Data Links and define the port, IP address, and Transport method.
If the HA2 is connected back-to-back, you can select Transport method as ethernet, and do not need to define the IP Address.
Commit all the changes, and you will notice that HA is configured on our Primary Palo Alto Networks Firewall. However, as of now, we don’t have secondary device information.
That’s it! You have done the High Availability configuration in First Palo Alto Networks Firewall.
Step3: Configure the interfaces in High Availability Mode on Second Palo Alto Networks Firewall
In this step, we will configure the data plane interfaces in High Availability mode. This step is optional if you are using a higher range of Palo Alto Networks devices.
Navigate to Network > Interface > Ethernet > select ethernet1/7 and select interface type HA.
Now, Navigate to Network > Interface > Ethernet > select ethernet1/8 and select interface type HA.
Navigate to Network > Interface Ethernet, and you will notice that ethernet1/7 and ethernet1/8 are configured in the High Availability.
Step4: Configure the High Availability on Second Palo Alto Networks Firewall
Navigate to Device > High Availability > General > Setup and enable the High Availability and configure the same Group ID, between 1 to 63. Select mode as Active-Passive, define peer HA1 IP address, and click on Ok.
Now, select the Active Passive Settings and configure Passive Link State to Auto to ensure a faster failover.
Navigate to Election settings, and define the Device Priority and Preemption settings.
We must need to Device Priority while confiruing the High Availability. Lower numerical value of Device Priority will consider as higher priority.
Now, navigate to the Device > High Availability > HA Communication and define the HA1 and HA2 links. Select the HA1 and define the Port and IP Address.
Edit the HA2 configuration under the Data Links and define the port, IP address, and Transport method.
If the HA2 is connected back-to-back, you can select Transport method as ethernet, and do not need to define the IP Address.
Commit all the changes and navigate to the Dashboard > High Availability Widget on First Palo Alto Firewall to get the High Availability information.
Just after the High Availability configuration, you will notice that the Running Config is not synchronized. Use the Sync to peer option from the Active Palo Alto Networks firewall to get it synchronized with the peer device.
Wait for a couple of seconds to get it fully synchronized.
Step 5: Configure Link Monitoring and Path Monitoring
Well, To trigger an automatic failover, we need to configure the Link Monitoring and/or Path Monitoring. This step is optional but recommended. Navigate to Device > High Availability > Link and Path Monitoring and define the Link or Path Monitoring. Click on the Add under the Link Monitoring and define your data plane interfaces.
By default, if any one of the data plane interfaces goes down, the firewall will perform a failover.
Related Articles
- How to install Cisco ASAv Firewall in EVE-NG Simulator
- How to configure Static Routes on Cisco ASA Firewall
- Cisco ASA: Security Levels and Zones Explained
References
Summary
In this article, we have configured the High Availability on the Palo Alto Networks firewall. High Availability (HA) is necessary to prevent a single point of failure in the network. Palo Alto Networks firewall not only synchronize the configuration, but it will also synchronize session with peer device to perform a smooth failover with minimum downtime.
I hope you have enjoyed this article. Please let me know if you need any information regarding this article.
Support our work:
If you appreciate what we do and would like to contribute to our efforts, we kindly ask you to consider buying us a coffee. Your small donation can go a long way in helping us cover the costs of hosting, maintenance, and further development.
Please consider buying us a coffee ( or 2 ) as a token of appreciation.
We are always thankful for your never-ending support.