{"id":4482,"date":"2022-12-06T12:29:45","date_gmt":"2022-12-06T20:29:45","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4482"},"modified":"2022-12-06T12:29:48","modified_gmt":"2022-12-06T20:29:48","slug":"configure-active-passive-ha-on-palo-alto-firewalls","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4482","title":{"rendered":"Configure Active\/Passive HA on Palo Alto Firewalls"},"content":{"rendered":"\n<p>The following procedure shows how to configure a pair of firewalls in an active\/passive deployment as depicted in the following example topology.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/docs.paloaltonetworks.com\/content\/dam\/techdocs\/en_US\/dita\/_graphics\/10-1\/ha\/HA_topology.png\/jcr:content\/renditions\/original\" alt=\"\"\/><\/figure>\n\n\n\n<p>To configure an active\/passive HA pair, first complete the following workflow on the first firewall and then repeat the steps on the second firewall.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Connect the HA ports to set up a physical connection between the firewalls.<ul><li>For firewalls with dedicated HA ports, use an Ethernet cable to connect the dedicated HA1 ports and the HA2 ports on peers. Use a crossover cable if the peers are directly connected to each other.<\/li><li>For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across both firewalls.Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network.<\/li><\/ul><\/li><li>Enable ping on the management port.Enabling ping allows the management port to exchange heartbeat backup information.<ol><li>Select\u00a0<strong>DeviceSetupManagement<\/strong>\u00a0and edit the Management Interface Settings.<\/li><li>Select\u00a0<strong>Ping<\/strong>\u00a0as a service that is permitted on the interface.<\/li><\/ol><\/li><li>If the firewall does not have dedicated HA ports, set up the data ports to function as HA ports.For firewalls with dedicated HA ports continue to the next step.<ol><li>Select\u00a0<strong>NetworkInterfaces<\/strong>.<\/li><li>Confirm that the link is up on the ports that you want to use.<\/li><li>Select the interface and set\u00a0<strong>Interface Type<\/strong>\u00a0to\u00a0<strong>HA<\/strong>.<\/li><li>Set the\u00a0<strong>Link Speed<\/strong>\u00a0and\u00a0<strong>Link Duplex<\/strong>\u00a0settings, as appropriate.<\/li><\/ol><\/li><li>Set the HA mode and group ID.<ol><li>Select\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>\u00a0and edit the Setup section.<\/li><li>Set a\u00a0<strong>Group ID<\/strong>\u00a0and optionally a\u00a0<strong>Description<\/strong>\u00a0for the pair. The Group ID uniquely identifies each HA pair on your network. If you have multiple HA pairs that share the same broadcast domain you must set a unique Group ID for each pair.<\/li><li>Set the mode to\u00a0<strong>Active Passive<\/strong>.<\/li><\/ol><\/li><li>Set up the control link connection.This example shows an in-band port that is set to interface type HA.For firewalls that use the management port as the control link, the IP address information is automatically pre-populated.<ol><li>In\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>, edit the Control Link (HA1) section.<\/li><li>Select the\u00a0<strong>Port<\/strong>\u00a0that you have cabled for use as the HA1 link.<\/li><li>Set the\u00a0<strong>IPv4\/IPv6 Address<\/strong>\u00a0and\u00a0<strong>Netmask<\/strong>.If the HA1 interfaces are on separate subnets, enter the IP address of the\u00a0<strong>Gateway<\/strong>. Do not add a gateway address if the firewalls are directly connected or are on the same VLAN.<\/li><\/ol><\/li><li>(Optional) Enable encryption for the control link connection.This is typically used to secure the link if the two firewalls are not directly connected, that is if the ports are connected to a switch or a router.<ol><li>Export the HA key from one firewall and import it into the peer firewall.<ol><li>Select\u00a0<strong>DeviceCertificate ManagementCertificates<\/strong>.<\/li><li>Select\u00a0<strong>Export HA key<\/strong>. Save the HA key to a network location that the peer can access.<\/li><li>On the peer firewall, select\u00a0<strong>DeviceCertificate ManagementCertificates<\/strong>, and select\u00a0<strong>Import HA key<\/strong>\u00a0to browse to the location that you saved the key and import it in to the peer.<\/li><li>Repeat this process on the second firewall to exchange HA keys on both devices.<\/li><\/ol><\/li><li>Select\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>, edit the Control Link (HA1) section.<\/li><li>Select\u00a0<strong>Encryption Enabled<\/strong>.If you enable encryption, after you finish configuring the HA firewalls, you can\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/pan-os\/10-1\/pan-os-admin\/high-availability\/refresh-ha1-ssh-keys-and-configure-key-options.html#idf58348b2-b027-4864-8173-6a3ce3a98f8d\">Refresh HA1 SSH Keys and Configure Key Options<\/a>.<\/li><\/ol><\/li><li>Set up the backup control link connection.<ol><li>In\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>, edit the Control Link (HA1 Backup) section.<\/li><li>Select the HA1 backup interface and set the\u00a0<strong>IPv4\/IPv6 Address<\/strong>\u00a0and\u00a0<strong>Netmask<\/strong>.PA-3200 Series firewalls don\u2019t support an IPv6 address for the HA1 backup control link; use an IPv4 address.<\/li><\/ol><\/li><li>Set up the data link connection (HA2) and the backup HA2 connection between the firewalls.<ol><li>In\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>, edit the Data Link (HA2) section.<\/li><li>Select the\u00a0<strong>Port<\/strong>\u00a0to use for the data link connection.<\/li><li>Select the\u00a0<strong>Transport<\/strong>\u00a0method. The default is\u00a0<strong>ethernet<\/strong>, and will work when the HA pair is connected directly or through a switch. If you need to route the data link traffic through the network, select\u00a0<strong>IP<\/strong>\u00a0or\u00a0<strong>UDP<\/strong>\u00a0as the transport mode.<\/li><li>If you use IP or UDP as the transport method, enter the\u00a0<strong>IPv4\/IPv6 Address<\/strong>\u00a0and\u00a0<strong>Netmask<\/strong>.<\/li><li>Verify that\u00a0<strong>Enable Session Synchronization<\/strong>\u00a0is selected.<\/li><li>Select\u00a0<strong>HA2 Keep-alive<\/strong>\u00a0to enable monitoring on the HA2 data link between the HA peers. If a failure occurs based on the threshold that is set (default is 10000 ms), the defined action will occur. For active\/passive configuration, a critical system log message is generated when an HA2 keep-alive failure occurs.You can configure the HA2 keep-alive option on both firewalls, or just one firewall in the HA pair. If the option is only enabled on one firewall, only that firewall will send the keep-alive messages. The other firewall will be notified if a failure occurs.<\/li><li>Edit the\u00a0<strong>Data Link (HA2 Backup)<\/strong>\u00a0section, select the interface, and add the\u00a0<strong>IPv4\/IPv6 Address<\/strong>\u00a0and\u00a0<strong>Netmask<\/strong>.<\/li><\/ol><\/li><li>Enable heartbeat backup if your control link uses a dedicated HA port or an in-band port.You do not need to enable heartbeat backup if you are using the management port for the control link.<ol><li>In\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>, edit the Election Settings.<\/li><li>Select\u00a0<strong>Heartbeat Backup<\/strong>.To allow the heartbeats to be transmitted between the firewalls, you must verify that the management port across both peers can route to each other.Enabling heartbeat backup also allows you to prevent a split-brain situation. Split brain occurs when the HA1 link goes down causing the firewall to miss heartbeats, although the firewall is still functioning. In such a situation, each peer believes that the other is down and attempts to start services that are running, thereby causing a split brain. When the heartbeat backup link is enabled, split brain is prevented because redundant heartbeats and hello messages are transmitted over the management port.<\/li><\/ol><\/li><li>Set the device priority and enable preemption.This setting is only required if you wish to make sure that a specific firewall is the preferred active firewall. For information, see\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/pan-os\/10-1\/pan-os-admin\/high-availability\/ha-concepts\/device-priority-and-preemption.html#id20157de6-58e6-440e-8f07-0630dcda4fb3\">Device Priority and Preemption<\/a>.<ol><li>In\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>, edit the Election Settings.<\/li><li>Set the numerical value in\u00a0<strong>Device Priority<\/strong>. Make sure to set a lower numerical value on the firewall that you want to assign a higher priority to.If both firewalls have the same device priority value, the firewall with the lowest MAC address on the HA1 control link will become the active firewall.<\/li><li>Select\u00a0<strong>Preemptive<\/strong>.You must enable preemptive on both the active firewall and the passive firewall.<\/li><\/ol><\/li><li>(Optional) Modify the\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/pan-os\/10-1\/pan-os-admin\/high-availability\/ha-concepts\/ha-timers.html#idcc1faa1c-5cd8-4830-90da-93e8effab23d\">HA Timers<\/a>.By default, the HA timer profile is set to the\u00a0<strong>Recommended<\/strong>\u00a0profile and is suited for most HA deployments.<ol><li>In\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>, edit the Election Settings.<\/li><li>Select the\u00a0<strong>Aggressive<\/strong>\u00a0profile for triggering failover faster; select\u00a0<strong>Advanced<\/strong>\u00a0to define custom values for triggering failover in your set up.To view the preset value for an individual timer included in a profile, select\u00a0<strong>Advanced<\/strong>\u00a0and click\u00a0<strong>Load Recommended<\/strong>\u00a0or\u00a0<strong>Load Aggressive<\/strong>. The preset values for your hardware model will be displayed on screen.<\/li><\/ol><\/li><li>(Optional) Modify the link status of the HA ports on the passive firewall.The passive link state is\u00a0<strong>shutdown<\/strong>, by default. After you enable HA, the link state for the HA ports on the active firewall will be green and those on the passive firewall will be down and display as red.Setting the link state to\u00a0<strong>Auto<\/strong>\u00a0allows for reducing the amount of time it takes for the passive firewall to take over when a failover occurs and it allows you to monitor the link state.To enable the link status on the passive firewall to stay up and reflect the cabling status on the physical interface:<ol><li>In\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>, edit the Active Passive Settings.<\/li><li>Set the\u00a0<strong>Passive Link State<\/strong>\u00a0to\u00a0<strong>Auto<\/strong>.The auto option decreases the amount of time it takes for the passive firewall to take over when a failover occurs.Although the interface displays green (as cabled and up) it continues to discard all traffic until a failover is triggered.When you modify the passive link state, make sure that the adjacent devices do not forward traffic to the passive firewall based only on the link status of the firewall.<\/li><\/ol><\/li><li>Enable HA.<ol><li>Select\u00a0<strong>DeviceHigh AvailabilityGeneral<\/strong>\u00a0and edit the Setup section.<\/li><li>Select\u00a0<strong>Enable HA<\/strong>.<\/li><li>Select\u00a0<strong>Enable Config Sync<\/strong>. This setting enables the synchronization of the configuration settings between the active and the passive firewall.<\/li><li>Enter the IP address assigned to the control link of the peer in\u00a0<strong>Peer HA1 IP Address<\/strong>.For firewalls without dedicated HA ports, if the peer uses the management port for the HA1 link, enter the management port IP address of the peer.<\/li><li>Enter the\u00a0<strong>Backup HA1 IP Address<\/strong>.<\/li><\/ol><\/li><li>(Optional) Enable\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/content\/techdocs\/en_US\/pan-os\/10-1\/pan-os-admin\/high-availability\/ha-concepts\/lacp-and-lldp-pre-negotiation-for-activepassive-ha.html#id2c171a8c-cc16-4c05-9b03-a47a57cf07e2\">LACP and LLDP Pre-Negotiation for Active\/Passive HA<\/a>\u00a0for faster failover if your network uses LACP or LLDP.Enable\u00a0<a href=\"https:\/\/docs.paloaltonetworks\/pan-os\/10-1\/pan-os-networking-admin\/configure-interfaces\/configure-an-aggregate-interface-group.html\" target=\"_blank\" rel=\"noreferrer noopener\">LACP<\/a>\u00a0and\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-networking-admin\/lldp\/configure-lldp.html\" target=\"_blank\" rel=\"noreferrer noopener\">LLDP<\/a>\u00a0before configuring HA pre-negotiation for the protocol if you want pre-negotiation to function in active mode.<ol><li>Ensure that in Step\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-admin\/high-availability\/set-up-activepassive-ha\/configure-activepassive-ha#id2351b088-8534-472b-9f43-34744c9075ec_idf87c38e3-ccd4-4a05-9fc4-d3e1560f36ce\">12<\/a>\u00a0you set the link state to\u00a0<strong>Auto<\/strong>.<\/li><li>Select\u00a0<strong>NetworkInterfacesEthernet<\/strong>.<\/li><li>To enable LACP active pre-negotiation:<ol><li>Select an AE interface in a Layer 2 or Layer 3 deployment.<\/li><li>Select the\u00a0<strong>LACP<\/strong>\u00a0tab.<\/li><li>Select\u00a0<strong>Enable in HA Passive State<\/strong>.<\/li><li>Click\u00a0<strong>OK<\/strong>.You cannot also select\u00a0<strong>Same System MAC Address for Active-Passive HA<\/strong>\u00a0because pre-negotiation requires unique interface MAC addresses on the active and passive firewalls.<\/li><\/ol><\/li><li>To enable LACP passive pre-negotiation:<ol><li>Select an Ethernet interface in a virtual wire deployment.<\/li><li>Select the\u00a0<strong>Advanced<\/strong>\u00a0tab.<\/li><li>Select the\u00a0<strong>LACP<\/strong>\u00a0tab.<\/li><li>Select\u00a0<strong>Enable in HA Passive State<\/strong>.<\/li><li>Click\u00a0<strong>OK<\/strong>.<\/li><\/ol><\/li><li>To enable LLDP active pre-negotiation:<ol><li>Select an Ethernet interface in a Layer 2, Layer 3, or virtual wire deployment.<\/li><li>Select the\u00a0<strong>Advanced<\/strong>\u00a0tab.<\/li><li>Select the\u00a0<strong>LLDP<\/strong>\u00a0tab.<\/li><li>Select\u00a0<strong>Enable in HA Passive State<\/strong>.<\/li><li>Click\u00a0<strong>OK<\/strong>.If you want to allow LLDP passive pre-negotiation for a virtual wire deployment, perform Step\u00a0<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-admin\/high-availability\/set-up-activepassive-ha\/configure-activepassive-ha#id2351b088-8534-472b-9f43-34744c9075ec_idf8db2913-4497-4ed7-be0e-ef76451c55bd\">14.e<\/a>\u00a0but do not enable LLDP itself.<\/li><\/ol><\/li><\/ol><\/li><li>Save your configuration changes.Click\u00a0<strong>Commit<\/strong>.<\/li><li>After you finish configuring both firewalls, verify that the firewalls are paired in active\/passive HA.<ol><li>Access the\u00a0<strong>Dashboard<\/strong>\u00a0on both firewalls, and view the High Availability widget.<\/li><li>On the active firewall, click the\u00a0<strong>Sync to peer<\/strong>\u00a0link.<\/li><li>Confirm that the firewalls are paired and synced, as shown as follows:<ul><li>On the passive firewall: the state of the local firewall should display\u00a0<strong>passive<\/strong>\u00a0and the Running Config should show as\u00a0<strong>synchronized<\/strong>.<\/li><li>On the active firewall: The state of the local firewall should display\u00a0<strong>active<\/strong>\u00a0and the Running Config should show as\u00a0<strong>synchronized<\/strong>.<\/li><\/ul><\/li><\/ol><\/li><\/ol>\n\n\n\n<p>Ref: <a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-admin\/high-availability\/set-up-activepassive-ha\/configure-activepassive-ha\">Configure Active\/Passive HA (paloaltonetworks.com)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The following procedure shows how to configure a pair of firewalls in an active\/passive deployment as depicted in the following example topology. To configure an active\/passive HA pair, first complete the following workflow on the first firewall and then repeat the steps on the second firewall. Connect the HA ports to set up a physical <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4482\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[13,9,1161],"tags":[1410,1411],"class_list":["post-4482","post","type-post","status-publish","format-standard","hentry","category-firewalls","category-networks","category-palo-alto","tag-active-passive-ha-on-palo-alto","tag-high-availability-on-palo-alto"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4482"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4482\/revisions"}],"predecessor-version":[{"id":4483,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4482\/revisions\/4483"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4482"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}