High availability (HA) is a type of deployment, where 2 firewalls are positioned in a group and their configuration is synchronized to avoid a single point of failure in a network. In this lesson, we will learn to configure Active/Passive HA in Palo Alto Firewall.
- Same firewall model with same PAN-OS version.
- Same version of App, Threat, Antivirus, GlobalProtect in both firewall.
- Check all licenses are identical.
You can read more details about all prerequisites from PaloAlto administrative guide.
Active/Passive HA Configuration in Palo Alto Firewall:
We do not have any dedicated HA1 and HA2 ports. So, we are going to make ethernet1/4 as HA1 and ethernet1/5 as HA2. To do this, we need to go – Network >> Interface >> Ethernet. And, then need to change the interface type for ethernet1/4 and ethernet1/5 as HA port just like below.
The final output will look like below-
Control Plane Configuration
In the next section, we need to go Device >> High Availability. Now, by clicking on top right gear icon in Control Link (HA1) section, we will declare ethernet1/4 as our control plane link (HA1) as we decided earlier.
We will be using 172.16.1.0/30 for HA1 link. Below are the configuration of Active and Passive nodes. It’s Point-to-Point, so we do not need any gateway here.
Data Link Configuration:
On the same page (Device >> High Availability), we need to click on top right gear icon in Data Link (HA2) section.
In our case, ethernet1/5 is our HA2 link. It’s directly connected, so transport mode is ethernet. We do not need to specify any IP address. However, if your data link is coming through L3 networks, then you need to specify IP details.
In the next section, we will enable HA, add Group ID and put Peer HA1 IP Address. Below are the configuration of PA-01 firewall.
Similarly, we need to enable HA on PA-02. Provide same group ID (10) and add Peer HA1 IP as 172.16.1.1.
Priority and Preemption:
This section is optional but recommended. Here we will add device priority to prefer PA-01 as Active unit. And also, preemption will be enabled to make sure whenever PA-01 firewall is up and running, it handles the traffic. The firewall with the lower value will be Active and the other firewall is the Passive firewall.
Note: If you didn’t change device priority, then the lowest MAC address on HA1 link will act as Active firewall.
There is an easy way to verify the HA status. Just go to Dashboard >> Widgets >> System >> High Availability.
You can see our Active-Passive HA is already formed. However, configuration doesn’t sync yet. We can follow below to sync configuration from Active to Passive unit.
We can just click on “Sync to peer”. It will automatically sync configuration from Active unit to Passive unit.
We can run below command-
admin@PA-ACTIVE(active)> request high-availability sync-to-remote running-config Executing this command will overwrite the candidate configuration on the peer and trigger a commit on the peer. Do you want to continue(y/n)? (y or n) y HA synchronization job has been queued on peer. Please check job status on peer. admin@PA-ACTIVE(active)>
Here is the final output of HA widget.