Add to collection(s) Add to saved
  1. No category
Uploaded by murdermanx

Configure Active Passive HA in Palo Alto Firewall

advertisement 
Home
Cisco
Juniper
Palo Alto
Check Point
F5 BIG-IP
Privacy Policy
Contact
Advertise





You are here: Home » Palo Alto Firewalls » Configure Active/Passive HA in Palo Alto Firewall
Configure Active/Passive HA in Palo Alto Firewall
To search type and hit enter
Posted on February 14, 2020 / Under Palo Alto Firewalls / With 6 Comments
Email Subscribe
Name
High availability (HA) is a type of deployment, where 2 firewalls are positioned in a group and
Email
their configuration is synchronized to avoid a single point of failure in a network. In this lesson,
Submit
we will learn to configure Active/Passive HA in Palo Alto Firewall.
Prerequisite:
Support my new YouTube channel!
LetsConfig
YouTube
Same firewall model with same PAN-OS version.
Same version of App, Threat, Antivirus, GlobalProtect in both firewall.
Check all licenses are identical.
You can read more details about all prerequisites from PaloAlto administrative guide.
Let's Config
Like Page
LAB Diagram:
283 likes
Recent Posts
How to install Cisco ISE 2.7
How to configure TACACS+ on Cisco
Routers and Switches
How to configure SNMP v3 in Cisco Nexus
Devices
How to Configure IPSec VPN on Palo Alto
Firewall
How to backup Cisco ISE 2.7
How to install F5 BIG-IP Virtual Edition
on AWS
How to configure Telnet on Cisco IOS
devices
Best Practices for VPC on Cisco Nexus
How to Install Palo Alto Firewall on EVENG
How to advertise BGP routes in Juniper
Coronavirus Safety
Active/Passive HA Configuration in Palo Alto Firewall:
HA Ports:
We do not have any dedicated HA1 and HA2 ports. So, we are going to make ethernet1/4 as
HA1 and ethernet1/5 as HA2. To do this, we need to go – Network >> Interface >> Ethernet.
And, then need to change the interface type for ethernet1/4 and ethernet1/5 as HA port just like
below.
The final output will look like belowPA-01:
PA-02:
Control Plane Configuration
In the next section, we need to go Device >> High Availability. Now, by clicking on top right
gear icon in Control Link (HA1) section, we will declare ethernet1/4 as our control plane link
(HA1) as we decided earlier.
We will be using 172.16.1.0/30 for HA1 link. Below are the configuration of Active and Passive
nodes. It’s Point-to-Point, so we do not need any gateway here.
PA-01:
PA-02:
Data Link Configuration:
On the same page (Device >> High Availability), we need to click on top right gear icon in Data
Link (HA2) section.
In our case, ethernet1/5 is our HA2 link. It’s directly connected, so transport mode is ethernet.
We do not need to specify any IP address. However, if your data link is coming through L3
networks, then you need to specify IP details.
Group Configuration:
In the next section, we will enable HA, add Group ID and put Peer HA1 IP Address. Below are
the configuration of PA-01 firewall.
Similarly, we need to enable HA on PA-02. Provide same group ID (10) and add Peer HA1 IP as
172.16.1.1.
Priority and Preemption:
This section is optional but recommended. Here we will add device priority to prefer PA-01 as
Active unit. And also, preemption will be enabled to make sure whenever PA-01 firewall is up
and running, it handles the traffic. The firewall with the lower value will be Active and the
other firewall is the Passive firewall.
Note: If you didn’t change device priority, then the lowest MAC address on HA1 link will act as
Active firewall.
PA-01:
PA-02:
IMPORTANT: Do not forget to commit your configuration on both firewalls.
Verify:
There is an easy way to verify the HA status. Just go to Dashboard >> Widgets >> System >>
High Availability.
You can see our Active-Passive HA is already formed. However, configuration doesn’t sync yet.
We can follow below to sync configuration from Active to Passive unit.
Option 1:
We can just click on “Sync to peer”. It will automatically sync configuration from Active unit to
Passive unit.
Option 2:
We can run below command-
admin@PA-ACTIVE(active)> request high-availability sync-to-remote running-config
Executing this command will overwrite the candidate configuration on the peer and
trigger a commit on the peer. Do you want to continue(y/n)? (y or n) y
HA synchronization job has been queued on peer. Please check job status on peer.
admin@PA-ACTIVE(active)>
Here is the final output of HA widget.
Related Posts:
1. Palo Alto Networks Firewall Management Configuration
2. How to Factory Reset Palo Alto Firewall
3. Palo Alto Zone Based Firewall Configuration LAB
4. How to Configure URL Filtering on Palo Alto Firewall
5. How to configure LDAP Authentication on Palo Alto Firewall
6. Upgrade PAN-OS on a Standalone Palo Alto Firewall
7. Set Up Antivirus, Anti-Spyware, and Vulnerability Protection on Palo Alto Firewall
8. Activating Licenses and Subscriptions in Palo Alto Firewalls
9. How to Install Palo Alto Firewall on EVE-NG
10. How to enable User-ID on Palo Alto Firewall
Written by Rajib Kumer Das
I am Rajib Kumer Das, a network engineer with 8+ years of experience in multivendor environment. In my current position, I am responsible to take care
critical projects and it's support cases. I do have several vendor certificates and
have plans to go further.
This article has 6 comments
Suresh
September 4, 2020 Reply
Nice article. Out of interest, how did you configure the peer IP of 10.1.1.33 on the
passive PA?
Rajib Kumer Das
September 4, 2020 Reply
Hi Suresh, i can’t find the section where i configured 10.1.1.33.
However, you only need to configure HA1 and HA2 in the Passive unit, other
confirmation will be auto sync.
Suresh
September 4, 2020 Reply
Thanks for the response.
Sorry, I should have been more clearer. On the last picture the peer (passive) IP is
showing as 10.1.1.33. I presume we can use that IP to log in to the passive unit. I was
wondering how can we use an UNTRUST IP to access the passive peer. My
understanding is that we can only use the Management IP to connect to the passive
node.
Rajib Kumer Das
September 4, 2020 Reply
10.1.1.33 is the management IP for passive unit. After configuring management
IP, you only need to configure HA1 and HA2 link. All other configuration will be
sync automatically.
Sultan Ansari
October 6, 2020 Reply
hello sir i configured HA, everything is working perfect, but after suspending my PA1
it’s wait till 300 sec to forward traffic from PA2, means it’s waiting till mac-table aging
time.
Rajib Kumer Das
October 6, 2020 Reply
Go to Network >> High Availability >> General >> Election Settings and change
HA timer setting to Aggressive. It will be much quicker.
Leave a Comment
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
Notify me when new comments are added.
Post Comment

How to Configure URL Filtering on Palo Alto Firewall
How to configure SNMP v3 in Cisco IOS Devices
Training Courses
Tags
Cisco Nexus Training : Go from Beginner to Advanced!
F5 BIG-IP Local Traffic Manager (LTM) Training
BGP BIG-IP Catalyst
Config
Configuration Configure eBGP Firewall
Palo Alto NGFW Training Course
GRE
Cisco
How to How to config iBGP
Juniper Junos
Let's Config Letsconfig LTM
Nexus NX-OS OSPF Palo Alto Paloalto
Install IOS IOS XR IPSec
If want to hire me for your project to do pre-sales and
post-sales support, you can contact me.
Palo Alto Firewall Palo Alto Networks
PAN-OS Policy Remote Access Router Routes
Routing Security SRX SSH Switch
Switching Trunk Tutorial Virtual Port-Channel
VLAN vPC
Copyright 2019 Letsconfig.com. All rights reserved.

Related documents
Invoice Template
Invoice Template
SchedaCorso 20230526145601
SchedaCorso 20230526145601
Elizabeth Rochin
Elizabeth Rochin
Download
advertisement