Configure Active/Passive HA in Palo Alto Firewall

High availability (HA) is a type of deployment, where 2 firewalls are positioned in a group and their configuration is synchronized to avoid a single point of failure in a network. In this lesson, we will learn to configure Active/Passive HA in Palo Alto Firewall.

Prerequisite:

  • Same firewall model with same PAN-OS version.
  • Same version of App, Threat, Antivirus, GlobalProtect in both firewall.
  • Check all licenses are identical.

You can read more details about all prerequisites from PaloAlto administrative guide.

LAB Diagram:

Configure Active/Passive HA in Palo Alto Firewall

Active/Passive HA Configuration in Palo Alto Firewall:

HA Ports:

We do not have any dedicated HA1 and HA2 ports. So, we are going to make ethernet1/4 as HA1 and ethernet1/5 as HA2. To do this, we need to go – Network >> Interface >> Ethernet. And, then need to change the interface type for ethernet1/4 and ethernet1/5 as HA port just like below.

Advertisements

changing interface type

The final output will look like below-

PA-01:
Interface changed to HA - active node

PA-02:
Interface changed to HA - standby node

Control Plane Configuration

In the next section, we need to go Device >> High Availability. Now, by clicking on top right gear icon in Control Link (HA1) section, we will declare ethernet1/4 as our control plane link (HA1) as we decided earlier.

control-plane

We will be using 172.16.1.0/30 for HA1 link. Below are the configuration of Active and Passive nodes. It’s Point-to-Point, so we do not need any gateway here.

Advertisements

PA-01:
control-plane-active

PA-02:
control-plane-passive

Data Link Configuration:

On the same page (Device >> High Availability), we need to click on top right gear icon in Data Link (HA2) section.

data-plane-HA2

In our case, ethernet1/5 is our HA2 link. It’s directly connected, so transport mode is ethernet. We do not need to specify any IP address. However, if your data link is coming through L3 networks, then you need to specify IP details.

Group Configuration:

In the next section, we will enable HA, add Group ID and put Peer HA1 IP Address. Below are the configuration of PA-01 firewall.

HA Setup - Active

Similarly, we need to enable HA on PA-02. Provide same group ID (10) and add Peer HA1 IP as 172.16.1.1.

Priority and Preemption:

This section is optional but recommended. Here we will add device priority to prefer PA-01 as Active unit. And also, preemption will be enabled to make sure whenever PA-01 firewall is up and running, it handles the traffic. The firewall with the lower value will be Active and the other firewall is the Passive firewall.

Note: If you didn’t change device priority, then the lowest MAC address on HA1 link will act as Active firewall.

PA-01:
HA-Election-Settings

PA-02:
HA-Election-Settings-standby

IMPORTANT: Do not forget to commit your configuration on both firewalls.

Verify:

There is an easy way to verify the HA status. Just go to Dashboard >> Widgets >> System >> High Availability.

HA-Active-Passive-Verification

You can see our Active-Passive HA is already formed. However, configuration doesn’t sync yet. We can follow below to sync configuration from Active to Passive unit.

Option 1:
We can just click on “Sync to peer”. It will automatically sync configuration from Active unit to Passive unit.

Option 2:
We can run below command-

admin@PA-ACTIVE(active)> request high-availability sync-to-remote running-config

Executing this command will overwrite the candidate configuration on the peer and trigger a commit on the peer. Do you want to continue(y/n)? (y or n) y

HA synchronization job has been queued on peer. Please check job status on peer.

admin@PA-ACTIVE(active)>

Here is the final output of HA widget.

HA-Active-Passive-Verification-Final

Leave a Comment

Your email address will not be published. Required fields are marked *

15 thoughts on “Configure Active/Passive HA in Palo Alto Firewall”

  1. Hi Rajib,
    With this setup we can access the passive Unit of the HA pair locally. Do you know if there is a way we can access the passive unit remotely?

    Thanks,
    Mike

  2. hello sir i configured HA, everything is working perfect, but after suspending my PA1 it’s wait till 300 sec to forward traffic from PA2, means it’s waiting till mac-table aging time.

  3. Thanks for the response.

    Sorry, I should have been more clearer. On the last picture the peer (passive) IP is showing as 10.1.1.33. I presume we can use that IP to log in to the passive unit. I was wondering how can we use an UNTRUST IP to access the passive peer. My understanding is that we can only use the Management IP to connect to the passive node.

Scroll to Top